2025-08-09 AI创业新闻

AI Tools Fuel Brazilian Phishing Scam While Efimer Trojan Steals Crypto from 5,000 Victims

Cybersecurity researchers are drawing attention to a new campaign that’s using legitimate generative artificial intelligence (AI)-powered website building tools like DeepSite AI and BlackBox AI to create replica phishing pages mimicking Brazilian government agencies as part of a financially motivated campaign. The activity involves the creation of lookalike sites imitating Brazil’s State Department of Traffic and Ministry of Education, which then trick unsuspecting users into making unwarranted payments through the country’s PIX payment system, Zscaler ThreatLabz said. These fraudulent sites are artificially boosted using search engine optimization (SEO) poisoning techniques to enhance their visibility, thereby increasing the likelihood of success of the attack. “Source code analysis reveals signatures of generative AI tools, such as overly explanatory comments meant to guide developers, non-functional elements that would typically work on an authentic website, and trends like TailwindCSS styling, which is different from the traditional phishing kits used by threat actors,” Zscaler’s Jagadeeswar Ramanukolanu, Kartik Dixit, and Yesenia Barajas said .

The end goal of the attacks is to serve bogus forms that collect sensitive personal information, including Cadastro de Pessoas Físicas (CPF) numbers, Brazilian taxpayer identification numbers, residential addresses, and convince them to make a one-time payment of 87.40 reals ($16) to the threat actors via PIX under the guise of completing a psychometric and medical exam or secure a job offer. To further increase the legitimacy of the campaign, the phishing pages are designed such that they employ staged data collection by progressively requesting additional information from the victim, mirroring the behavior of the authentic websites. The collected CPF numbers are also validated on the backend by means of an API created by the threat actor. “The API domain identified during analysis is registered by the threat actor,” Zscaler said.

“The API retrieves data associated with the CPF number and automatically populates the phishing page with information linked to the CPF.” That said, the company noted that it’s possible the attackers may have acquired CPF numbers and user details through data breaches or by leveraging publicly exposed APIs with an authentication key, and then used the information to increase the credibility of their phishing attempts. “While these phishing campaigns are currently stealing relatively small amounts of money from victims, similar attacks can be used to cause far more damage,” Zscaler noted. Mass mailing Campaign Distributes Efimer Trojan to Steal Crypto Brazil has also become the focus of a malspam campaign that impersonates lawyers from a major company to deliver a malicious script called Efimer and steal a victim’s cryptocurrency. Russian cybersecurity company Kaspersky said it detected the mass mailing campaign in June 2025, with early iteration of the malware dating all the way back to October 2024 and spread via infected WordPress websites.

“These emails falsely claimed the recipient’s domain name infringed on the sender’s rights,” researchers Vladimir Gursky and Artem Ushkov said . “This script also includes additional functionality that helps attackers spread it further by compromising WordPress sites and hosting malicious files there, among other techniques.” Efimer, besides propagating via compromised WordPress sites and email, leverages malicious torrents as distribution vector, while communicating with its command-and-control (C2) server via the TOR network. Furthermore, the malware can extend its capabilities with additional scripts that can brute-force passwords for WordPress sites and harvest email addresses from specified websites for future email campaigns. “The script receives domains [from the C2 server] and iterates through each one to find hyperlinks and email addresses on the website pages,” Kaspersky said, noting it also serves as a spam module engineered to fill out contact forms on target websites.

In the attack chain documented by Kaspersky, the emails come fitted with ZIP archives containing another password-protected archive and an empty file with a name specifying the password to open it. Present within the second ZIP file is a malicious Windows Script File (WSF) that, when launched, infects the machine with Efimer. At the same time, the victim is displayed an error message stating the document cannot be opened on the device as a distraction mechanism. In reality, the WSF script saves two other files, “controller.js” (the trojan component) and “controller.xml,” and creates a scheduled task on the host using configuration extracted from “controller.xml.” The “controller.js” is a clipper malware that’s designed to replace cryptocurrency wallet addresses the user copies to their clipboard with the wallet address under the attacker’s control.

It can also capture screenshots and execute additional payloads received from the C2 server by connecting over the TOR network after installing a TOR proxy client on the infected computer. Kaspersky said it also discovered a second version of Efimer that, along with clipper features, also incorporates anti-VM features and scans web browsers like Google Chrome and Brave for cryptocurrency wallet extensions related to Atomic, Electrum, and Exodus, among others, and exfiltrates the results of the search back to the C2 server. The campaign is estimated to have impacted 5,015 users, based on its telemetry, with a majority of the infections concentrated in Brazil, India, Spain, Russia, Italy, Germany, the U.K., Canada, France, and Portugal. “While its primary goal is to steal and swap cryptocurrency wallets, it can also leverage additional scripts to compromise WordPress sites and distribute spam,” the researchers said.

“This allows it to establish a complete malicious infrastructure and spread to new devices.” “Another interesting characteristic of this Trojan is its attempt to propagate among both individual users and corporate environments. In the first case, attackers use torrent files as bait, allegedly to download popular movies; in the other, they send claims about the alleged unauthorized use of words or phrases registered by another company.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Leaked Credentials Up 160%: What Attackers Are Doing With Them

When an organization’s credentials are leaked, the immediate consequences are rarely visible—but the long-term impact is far-reaching. Far from the cloak-and-dagger tactics seen in fiction, many real-world cyber breaches begin with something deceptively simple: a username and password. According to Verizon’s 2025 Data Breach Investigations Report, leaked credentials accounted for 22% of breaches in 2024, outpacing phishing and even software exploitation. That’s nearly a quarter of all incidents, initiated not through zero-days or advanced persistent threats, but by logging in through the front door.

This quiet and persistent threat has been growing. New data compiled by Cyberint—an external risk management and threat intelligence company recently acquired by Check Point—shows a 160% increase in leaked credentials in 2025 compared to the previous year. The report, titled The Rise of Leaked Credentials , provides a look into not just the volume of these leaks, but how they are exploited and what organizations can do to get ahead of them. It’s worth reading in full for those responsible for risk reduction.

Read the Report: The Rise of Leaked Credentials A Surge Fueled by Automation and Accessibility The rise in leaked credentials is not just about volume. It’s also about speed and accessibility. In one month alone, Cyberint identified more than 14,000 corporate credential exposures tied to organizations whose password policies were still intact—implying active use and real threat potential. Automation has made credential theft easier.

Infostealer malware, often sold as a service, allows even low-skilled attackers to harvest login data from browsers and memory. AI-generated phishing campaigns can mimic tone, language, and branding with uncanny accuracy. Once credentials are gathered, they are either sold on underground marketplaces or offered in bundles on Telegram channels and illicit forums. As outlined in the ebook, the average time it takes to remediate credentials leaked through GitHub repositories is 94 days.

That’s a three-month window where an attacker could exploit access, undetected. How Credentials Are Used as Currency Leaked credentials are currency for attackers—and their value goes beyond the initial login. Once obtained, these credentials become a vector for a range of malicious activity: Account Takeover (ATO): Attackers log into a user’s account to send phishing emails from a legitimate source, tamper with data, or launch financial scams. Credential Stuffing: If a user reuses passwords across services, the breach of one account can lead to others falling in a chain reaction.

Spam Distribution and Bot Networks: Email and social accounts serve as launchpads for disinformation, spam campaigns, or promotional abuse. Blackmail and Extortion: Some actors contact victims, threatening to expose credentials unless payment is made. While passwords can be changed, victims often panic if the extent of the breach isn’t clear. The downstream effects aren’t always obvious.

A compromised personal Gmail account, for example, may give attackers access to recovery emails for corporate services, or uncover shared links with sensitive attachments. Seeing What Others Miss Cyberint, now part of Check Point, uses automated collection systems and AI agents to monitor a wide range of sources across the open, deep, and dark web. These systems are designed to detect leaked credentials at scale, correlating details like domain patterns, password reuse, and organizational metadata to identify likely exposure—even when credentials are posted anonymously or bundled with others. Alerts are enriched with context that supports rapid triage, and integrations with SIEM and SOAR platforms enable immediate action, such as revoking credentials or enforcing password resets.

Then, Cyberint’s analysts step in. These teams conduct targeted investigations in closed forums, assess the credibility of threat actor claims, and piece together identity and attribution signals. By combining machine-driven coverage with direct access to underground communities, Cyberint provides both scale and precision—allowing teams to act before leaked credentials are actively used. Credential leaks don’t only occur on monitored workstations.

According to Cyberint data, 46% of the devices tied to corporate credential leaks were not protected by endpoint monitoring. These include personal laptops or unmanaged devices where employees access business applications, which can serve as blind spots for many teams. Cyberint’s threat detection stack integrates with SIEM and SOAR tools, allowing automated responses like revoking access or forcing password resets the moment a breach is identified. This closes the gap between detection and action—a crucial factor when every hour counts.

The full report dives deeper into how these processes work, and how organizations can operationalize this intelligence across teams. You can read the full report here for details. Exposure Detection Is Now a Competitive Advantage Even with secure password policies, MFA, and modern email filtering, credential theft remains a statistical likelihood. What differentiates organizations is how fast they detect exposure and how tightly their remediation workflows are aligned.

Two playbooks featured in the ebook show how teams can respond effectively, both for employee and third-party vendor credentials. Each outlines procedures for detection, source validation, access revocation, stakeholder communication, and post-incident review. But the key takeaway is this: proactive discovery matters more than reactive forensics. Waiting for threat actors to make the first move extends dwell time and increases the scope of damage.

The ability to identify credentials shortly after they appear in underground forums—before they’ve been packaged up or weaponized in automated campaigns—is what separates successful defense from reactive cleanup. If you’re wondering whether your organization has exposed credentials floating in the deep or dark web, you don’t need to guess. You can check. Check the Open, Deep and Dark Web for Your Organization’s Credentials Now Mitigation Isn’t Just About Prevention No single control can fully eliminate the risk of credential exposure, but multiple layers can reduce the impact: Strong Password Policy: Enforce regular password changes and prohibit reuse across platforms.

SSO and MFA: Add barriers beyond the password. Even basic MFA makes credential stuffing far less effective. Rate Limiting: Set thresholds for login attempts to disrupt brute-force and credential spraying tactics. PoLP: Limit user access to only what’s needed, so compromised accounts don’t provide broader entry.

Phishing Awareness Training: Educate users about social engineering techniques to reduce initial leaks. Monitoring Exposure: Implement detection across forums, marketplaces, and paste sites to flag mentions of corporate credentials. Each of these controls is helpful, but even together, they aren’t enough if exposure goes unnoticed for weeks or months. That’s where detection intelligence from Cyberint comes in.

You can learn more methods by reading the full report. Before the Next Password is Stolen It’s not a matter of if an account associated with your domain will be exposed—it’s already happened. The real question is: has it been found? Thousands of credentials tied to active accounts are currently being passed around marketplaces, forums, and Telegram chats.

Many belong to users who still have access to corporate resources. Some are bundled with metadata like device type, session cookies, or even VPN credentials. Once shared, this information spreads fast and becomes impossible to retract. Identifying exposures before they’re used is one of the few meaningful advantages defenders have.

And it starts with knowing where to look. Threat intelligence plays a central role in detection and response, especially when it comes to exposed credentials. Given their widespread circulation across criminal networks, credentials require focused monitoring and clear processes for mitigation. Check if your company’s credentials are exposed across the open, deep, and dark web.

The earlier they’re found, the fewer incidents there will be to respond to later. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

RubyGems, PyPI Hit by Malicious Packages Stealing Credentials, Crypto, Forcing Security Changes

A fresh set of 60 malicious packages has been uncovered targeting the RubyGems ecosystem by posing as seemingly innocuous automation tools for social media, blogging, or messaging services to steal credentials from unsuspecting users. The activity is assessed to be active since at least March 2023, according to the software supply chain security company Socket. Cumulatively, the gems have been downloaded more than 275,000 times. That said, it bears noting that the figure may not accurately represent the actual number of compromised systems, as not every download results in execution, and it’s possible several of these gems have been downloaded to a single machine.

“Since at least March 2023, a threat actor using the aliases zon, nowon, kwonsoonje, and soonje has published 60 malicious gems posing as automation tools for Instagram, Twitter/X, TikTok, WordPress, Telegram, Kakao, and Naver,” security researcher Kirill Boychenko said . While the identified gems offered the promised functionality, such as bulk posting or engagement, they also harbored covert functionality to exfiltrate usernames and passwords to an external server under the threat actor’s control by displaying a simple graphical user interface to enter users’ credentials. Some of the gems, such as njongto_duo and jongmogtolon, are notable for focusing on financial discussion platforms, with the libraries marketed as tools to flood investment-related forums with ticker mentions, stock narratives, and synthetic engagement to amplify visibility and manipulate public perception. The servers that are used to receive the captured information include programzon[.]com, appspace[.]kr, and marketingduo[.]co[.]kr.

These domains have been found to advertise bulk messaging, phone number scraping, and automated social media tools. Victims of the campaign are likely to be grey-hat marketers who rely on such tools to run spam, search engine optimization (SEO), and engagement campaigns that artificially boost engagement. “Each gem functions as a Windows-targeting infostealer, primarily (but not exclusively) aimed at South Korean users, as evidenced by Korean-language UIs and exfiltration to .kr domains,” Socket said. “The campaign evolved across multiple aliases and infrastructure waves, suggesting a mature and persistent operation.” “By embedding credential theft functionality within gems marketed to automation-focused grey-hat users, the threat actor covertly captures sensitive data while blending into activity that appears legitimate.” The development comes as GitLab detected multiple typosquatting packages on the Python Package Index (PyPI) that are designed to steal cryptocurrency from Bittensor wallets by hijacking the legitimate staking functions .

The names of the Python libraries, which mimic bittensor and bittensor-cli, are below - bitensor (versions 9.9.4 and 9.9.5) bittenso-cli qbittensor bittenso “The attackers appear to have specifically targeted staking operations for calculated reasons,” GitLab’s Vulnerability Research team said . “By hiding malicious code within legitimate-looking staking functionality, the attackers exploited both the technical requirements and user psychology of routine blockchain operations.” The disclosure also follows new restrictions imposed by PyPI maintainers to secure Python package installers and inspectors from confusion attacks arising from ZIP parser implementations. Put differently, PyPI said it will reject Python packages “wheels” (which are nothing but ZIP archives) that attempt to exploit ZIP confusion attacks and smuggle malicious payloads past manual reviews and automated detection tools. “This has been done in response to the discovery that the popular installer uv has a different extraction behavior to many Python-based installers that use the ZIP parser implementation provided by the zipfile standard library module,” the Python Software Foundation’s (PSF) Seth Michael Larson said .

PyPI credited Caleb Brown from the Google Open Source Security Team and Tim Hatch from Netflix for reporting the issue. It also said it will warn users when they publish wheels whose ZIP contents don’t match the included RECORD metadata file. “After 6 months of warnings, on February 1st, 2026, PyPI will begin rejecting newly uploaded wheels whose ZIP contents don’t match the included RECORD metadata file,” Larsen said. Found this article interesting?

GreedyBear Steals $1M in Crypto Using 150+ Malicious Firefox Wallet Extensions

A newly discovered campaign dubbed GreedyBear has leveraged over 150 malicious extensions to the Firefox marketplace that are designed to impersonate popular cryptocurrency wallets and steal more than $1 million in digital assets. The published browser add-ons masquerade as MetaMask, TronLink, Exodus, and Rabby Wallet, among others, Koi Security researcher Tuval Admoni said. What makes the activity notable is the threat actor’s use of a technique that the cybersecurity company called Extension Hollowing to bypass safeguards put in place by Mozilla and exploit user trust. It’s worth noting that some aspects of the campaign were first documented by security researcher Lukasz Olejnik last week.

“Rather than trying to sneak malicious extensions past initial reviews, they build legitimate-seeming extension portfolios first, then weaponize them later when nobody’s watching,” Admoni said in a report published Thursday. To achieve this, the attackers first create a publisher account in the marketplace, upload innocuous extensions with no actual functionality to sidestep initial reviews, post fake positive reviews to create an illusion of credibility, and modify their innards with malicious capabilities. The fake extensions are designed to capture wallet credentials entered by unsuspecting users and exfiltrate them to an attacker-controlled server. It also gathers victims’ IP addresses for likely tracking purposes.

The campaign is assessed to be an extension of a previous iteration called Foxy Wallet that involved the threat actors publishing no less than 40 malicious browser extensions for Mozilla Firefox with similar goals in mind. The latest spike in the number of extensions indicates the growing scale of the operation. The fake wallet cryptocurrency draining attacks are augmented by campaigns that distribute malicious executables through various Russian sites that peddle cracked and pirated software, leading to the deployment of information stealers and even ransomware. The GreedyBear actors have also found setting up scam sites that pose as cryptocurrency products and services, such as wallet repair tools, to possibly trick users into parting with their wallet credentials, or payment details, resulting in credential theft and financial fraud.

Koi Security said it was able to link the three attack verticals to a single threat actor based on the fact that the domains used in these efforts all point to a lone IP address: 185.208.156[.]66, which acts as a command-and-control (C2) server for data collection and management. There is evidence to suggest that the extension-related attacks are branching out to target other browser marketplaces. This is based on the discovery of a Google Chrome extension named Filecoin Wallet that has used the same C2 server and the underlying logic to pilfer credentials. To make matters worse, an analysis of the artifacts has uncovered signs that they may have been created using artificial intelligence (AI)-powered tools.

This underscores how threat actors are increasingly misusing AI systems to enable attacks at scale and at speed. “This variety indicates the group is not deploying a single toolset, but rather operating a broad malware distribution pipeline, capable of shifting tactics as needed,” Admoni said. “The campaign has since evolved the difference now is scale and scope: this has evolved into a multi-platform credential and asset theft campaign, backed by hundreds of malware samples and scam infrastructure.” Ethereum Drainers Pose as Trading Bots to Steal Crypto The disclosure comes as SentinelOne flagged a widespread and ongoing cryptocurrency scam that entails distributing a malicious smart contract disguised as a trading bot in order to drain user wallets. The fraudulent Ethereum drainer scheme, active since early 2024, is estimated to have already netted the threat actors more than $900,000 in stolen profits.

“The scams are marketed through YouTube videos which explain the purported nature of the crypto trading bot and explain how to deploy a smart contract on the Remix Solidity Compiler platform, a web-based integrated development environment (IDE) for Web3 projects,” researcher Alex Delamotte said . “The video descriptions share a link to an external site that hosts the weaponized smart contract code.” The videos are said to be AI-generated and are published from aged accounts that post other sources’ cryptocurrency news as playlists in an effort to build legitimacy. The videos also feature overwhelmingly positive comments, suggesting that the threat actors are actively curating the comment sections and removing any negative feedback. One of the YouTube accounts pushing the scam was created in October 2022.

This either indicates that the fraudsters slowly and steadily boosted the account’s credibility over time or may have purchased it from a service selling such aged YouTube channels off Telegram and dedicated sites like Accs-market and Aged Profiles. The attack moves to the next phase when the victim deploys the smart contract, after which the victims are instructed to send ETH to the new contract, which then causes the funds to be routed to an obfuscated threat actor-controlled wallet. “The combination of AI-generated content and aged YouTube accounts available for sale means that any modestly-resourced actor can obtain a YouTube account that the algorithm deems ‘established’ and weaponize the account to post customized content under a false pretext of legitimacy,” Delamotte said. Found this article interesting?

SocGholish Malware Spread via Ad Tools; Delivers Access to LockBit, Evil Corp, and Others

The threat actors behind the SocGholish malware have been observed leveraging Traffic Distribution Systems (TDSs) like Parrot TDS and Keitaro TDS to filter and redirect unsuspecting users to sketchy content. “The core of their operation is a sophisticated Malware-as-a-Service (MaaS) model, where infected systems are sold as initial access points to other cybercriminal organizations,” Silent Push said in an analysis. SocGholish, also called FakeUpdates, is a JavaScript loader malware that’s distributed via compromised websites by masquerading as deceptive updates for web browsers like Google Chrome or Mozilla Firefox, as well as other software such as Adobe Flash Player or Microsoft Teams. It’s attributed to a threat actor called TA569, which is also tracked as Gold Prelude, Mustard Tempest, Purple Vallhund, and UNC1543.

Attack chains involve deploying SocGholish to establish initial access and broker that compromised system access to a diverse clientele, including Evil Corp (aka DEV-0243), LockBit, Dridex, and Raspberry Robin (aka Roshtyak). Interestingly, recent campaigns have also leveraged Raspberry Robin as a distribution vector for SocGholish. “SocGholish infections typically originate from compromised websites that have been infected in multiple different ways,” Silent Push said. “Website infections can involve direct injections, where the SocGholish payload delivery injects JS directly loaded from an infected webpage or via a version of the direct injection that uses an intermediate JS file to load the related injection.” Besides redirecting to SocGholish domains via compromised websites, another primary source of traffic involves using third-party TDSes like Parrot TDS and Keitaro TDS to direct web traffic to specific websites or to landing pages after performing extensive fingerprinting of the site visitor and determining if they are of interest based on certain predefined criteria.

Keitaro TDS has long been involved in threat activity going beyond malvertising and scams to deliver more sophisticated malware, including exploit kits , loaders , ransomware , and Russian influence operations . Last year, Infoblox revealed how SocGholish, a VexTrio partner, used Keitaro to redirect victims to VexTrio’s TDSes . “Because Keitaro also has many legitimate applications, it is frequently difficult or impossible to simply block traffic through the service without generating excessive false positives, although organizations can consider this in their own policies,” Proofpoint noted back in 2019. Keitaro TDS is believed to be connected to TA2726 , which has functioned as a traffic provider for both SocGholish and TA2727 by compromising websites and injecting a Keitaro TDS link, and then selling that to its customers.

“The intermediate C2 [command-and-control] framework dynamically generates payloads that victims download at runtime,” Silent Push noted. “It is essential to note that across the execution framework, from the initial SocGholish injection to the on-device execution of the Windows implant, the entire process is continuously tracked by SocGholish’s C2 framework. If, at any time, the framework determines that a given victim is not ‘legitimate,’ it will stop the serving of a payload.” The cybersecurity company has also assessed that there are possibly former members who are involved in Dridex, Raspberry Robin, and SocGholish, given the overlapping nature of the campaigns observed. The development comes as Zscaler detailed an updated version of Raspberry Robin that features improved obfuscation methods, changes to its network communication process, and embeds pointing to intentionally corrupted TOR C2 domains, signaling continued efforts to avoid detection and hinder reverse engineering efforts.

“The network encryption algorithm has changed from AES (CTR mode) to Chacha-20,” the company said . “Raspberry Robin has added a new local privilege escalation (LPE) exploit ( CVE-2024-38196 ) to gain elevated privileges on targeted systems.” The disclosure also follows an evolution of DarkCloud Stealer attacks that employ phishing emails to deliver a ConfuserEx-protected version of the stealer payload written in Visual Basic 6, which is launched and executed using a technique called process hollowing. “DarkCloud Stealer is typical of an evolution in cyberthreats, leveraging obfuscation techniques and intricate payload structures to evade traditional detection mechanisms,” Unit 42 said . “The shift in delivery methods observed in April 2025 indicates an evolving evasion strategy.” Fortinet FortiGuard Labs, which also detailed another DarkCloud campaign, said it identified phishing emails that tricked users recipients into opening an attached RAR file under the pretext of providing an urgent quote.

The RAR archives contain a JavaScript payload that, when launched, decodes PowerShell responsible for dropping a fileless variant of the stealer via an encrypted DLL embedded within a JPEG image hosted on The Internet Archive. DarkCloud gathers “credentials, payment information stored in web browsers, FTP clients, and email clients,” security researcher Xiaopeng Zhang said . “It also collects the email contacts from the victim’s email client software.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Webinar: How to Stop Python Supply Chain Attacks—and the Expert Tools You Need

Python is everywhere in modern software. From machine learning models to production microservices, chances are your code—and your business—depends on Python packages you didn’t write. But in 2025, that trust comes with a serious risk. Every few weeks, we’re seeing fresh headlines about malicious packages uploaded to the Python Package Index (PyPI)—many going undetected until after they’ve caused real harm.

One of the most dangerous recent examples? In December 2024, attackers quietly compromised the Ultralytics YOLO package, widely used in computer vision applications. It was downloaded thousands of times before anyone noticed. This wasn’t an isolated event.

This is the new normal. Python supply chain attacks are rising fast—and your next pip install could be the weakest link. Join our webinar to learn what’s really happening, what’s coming next, and how to secure your code with confidence. Don’t wait for a breach.

Watch this webinar now and take control. . What’s Really Going On? Attackers are exploiting weak links in the open-source supply chain.

They’re using tricks like: Typo-squatting: Uploading fake packages with names like requessts or urlib. Repojacking: Hijacking abandoned GitHub repos once linked to trusted packages. Slop-squatting: Publishing popular misspellings before a legit maintainer claims them. Once a developer installs one of these packages—intentionally or not—it’s game over.

And it’s not just rogue packages. Even the official Python container image ships with critical vulnerabilities. At the time of writing, there are over 100 high and critical CVEs in the standard Python base image. Fixing them isn’t easy, either.

That’s the “my boss told me to fix Ubuntu” problem—when your app team inherits infra problems no one wants to own. It’s Time to Treat Python Supply Chain Security Like a First-Class Problem The traditional approach—”just pip install and move on”—won’t cut it anymore. Whether you’re a developer, a security engineer, or running production systems, you need visibility and control over what you’re pulling in. And here’s the good news: you can secure your Python environment without breaking your workflow.

You just need the right tools, and a clear playbook. That’s where this webinar comes in. 🎥Join Us: How to Secure Your Python Supply Chain in 2025 In this session, we’ll walk through: The Anatomy of Modern Python Supply Chain Attacks: What happened in recent PyPI incidents—and why they keep happening. What You Can Do Today: From pip install hygiene to using tools like pip-audit, Sigstore, and SBOMs.

Behind the Scenes: Sigstore & SLSA: How modern signing and provenance frameworks are changing how we trust code. How PyPI is Responding: The latest ecosystem-wide changes and what they mean for package consumers. Zero-Trust for Your Python Stack: Using Chainguard Containers and Chainguard Libraries to ship secure, CVE-free code out of the box. The threats are getting smarter.

The tooling is getting better. But most teams are stuck somewhere in the middle—relying on default images, no validation, and hoping their dependencies don’t betray them. You don’t have to become a security expert overnight—but you do need a roadmap. Whether you’re early in your journey or already doing audits and signing, this session will help you take your Python supply chain to the next level.

Watch this Webinar Now Your application is only as secure as the weakest import. It’s time to stop trusting blindly and start verifying. Join us. Get practical.

Get secure. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Malicious Go, npm Packages Deliver Cross-Platform Malware, Trigger Remote Data Wipes

Cybersecurity researchers have discovered a set of 11 malicious Go packages that are designed to download additional payloads from remote servers and execute them on both Windows and Linux systems. “At runtime the code silently spawns a shell, pulls a second-stage payload from an interchangeable set of .icu and .tech command-and-control (C2) endpoints, and executes it in memory,” Socket security researcher Olivia Brown said . The list of identified packages is below - github.com/stripedconsu/linker github.com/agitatedleopa/stm github.com/expertsandba/opt github.com/wetteepee/hcloud-ip-floater github.com/weightycine/replika github.com/ordinarymea/tnsr_ids github.com/ordinarymea/TNSR_IDS github.com/cavernouskina/mcp-go github.com/lastnymph/gouid github.com/sinfulsky/gouid github.com/briefinitia/gouid The packages conceal an obfuscated loader that harbors functionality to fetch second-stage ELF and portable executable (PE) binaries, which, in turn, can gather host information, access web browser data, and beacon out to its C2 server. “Because the second-stage payload delivers a bash-scripted payload for Linux systems and retrieves Windows executables via certutil.exe, both Linux build servers and Windows workstations are susceptible to compromise,” Brown said.

Complicating matters is the decentralized nature of the Go ecosystem, which allows modules to be directly imported from GitHub repositories, causing significant developer confusion when searches for a package on pkg.go.dev can return several similarly named modules, although they may not necessarily be malicious in nature. “Attackers exploit the confusion, carefully crafting their malicious module namespaces to appear trustworthy at a glance, significantly increasing the likelihood developers inadvertently integrate destructive code into their projects,” Socket said. It’s assessed that the packages are the work of a single threat actor due to C2 reuse and the format of the code. The findings underscore the continued supply chain risks arising from the cross-platform nature of Go to push malware.

The development coincides with the discovery of two npm packages, naya-flore and nvlore-hsc , that masquerade as WhatsApp socket libraries while incorporating a phone number-based kill switch that can remotely wipe developers’ systems. The packages, which have been collectively downloaded over 1,110 downloads, continue to remain available on the npm registry as of writing. Both libraries were published by a user named “ nayflore “ in early July 2025. Central to their operations is their ability to retrieve a remote database of Indonesian phone numbers from a GitHub repository.

Once the package is executed, it first checks if the current phone is in the database, and, if not, proceeds to recursively delete all files using the command “rm -rf *” following a WhatsApp pairing process. The packages have also been found to contain a function to exfiltrate device information to an external endpoint, but calls to the function have been commented out, suggesting that the threat actor behind the scheme is signaling ongoing development. “naya-flore also contains a hardcoded GitHub Personal Access Token that provides unauthorized access to private repositories,” security researcher Kush Pandya said . “The purpose of this token remains unclear from the available code.” “The presence of an unused GitHub token could indicate incomplete development, planned functionality that was never implemented, or usage in other parts of the codebase not included in these packages.” Open-source repositories continue to be an attractive malware distribution channel in software supply chains, with the packages designed to steal sensitive information and even targeting cryptocurrency wallets in some cases.

“While overall tactics have not evolved significantly, attackers continue to rely on proven techniques, such as minimizing file count, using installation scripts, and employing discreet data exfiltration methods that maximize impact,” Fortinet FortiGuard Labs said . “A continued rise in obfuscation also further notes the importance of vigilance and ongoing monitoring required by users of these services. And as OSS continues to grow, so too will the attack surface for supply chain threats.” Update The npm packages incorporating remote data wipe capabilities have been removed from the Node.js registry. Found this article interesting?

The AI-Powered Security Shift: What 2025 Is Teaching Us About Cloud Defense

Now that we are well into 2025, cloud attacks are evolving faster than ever and artificial intelligence (AI) is both a weapon and a shield. As AI rapidly changes how enterprises innovate, security teams are now tasked with a triple burden: Secure AI embedded in every part of the business. Use AI to defend faster and smarter. Fight AI-powered threats that execute in minutes—or seconds.

Security is no longer about balancing speed and safety. In today’s cloud-native world, real-time, context-aware defense is a baseline expectation, not a competitive edge. The recent Sysdig Cloud Defense Report 2025 breaks down this tectonic shift. Below, we unpack its key insights for security practitioners aiming to stay ahead of an accelerating threat landscape.

AI: The Double-Edged Sword of Cloud Security AI is transforming the security paradigm. It’s both empowering defenders while creating entirely new attack surfaces. AI for Security: Fighting Fire with Fire Attackers are automating faster. In campaigns like CRYSTALRAY , adversaries chain together open-source tools to perform reconnaissance, lateral movement, and credential harvesting.

These attacks show a level of coordination and speed that would be impossible without automation. Security teams are responding in kind. Tools like Sysdig Sage ™ , a fully integrated AI cloud security analyst, are driving mean time to respond down by 76%. More than half of Sysdig customers now use Sysdig Sage, with the software and business services sectors leading adoption.

Key ways security teams are leveraging AI include:
Contextual enrichment: AI quickly correlates related events and aggregates data that makes alerts understandable. Summarization and deduplication; AI links alerts to previous incidents and helps focus on what’s relevant. Workflow automation; AI handles repetitive tasks like ticket creation, vulnerability analysis, and escalation logic. Decision acceleration; By acting as a tier-one analyst, AI allows human defenders to move faster and make informed decisions.

The lesson is simple: in a cloud world where attacks happen at machine speed, defense must be equally agile. Security for AI: Protecting the New Digital Crown Jewels But here’s the flip side: AI itself is now a prime target that needs to be protected. The Sysdig Threat Research Team has been identifying and reporting more attacks against LLMs and other AI tools since mid-2024. Sysdig observed a 500% surge in cloud workloads containing AI/ML packages in 2024, indicating massive adoption.

However, a recent 25% decline suggests teams are buckling down on security and improving governance. Recommendations to secure AI systems include securing APIs by authenticating and restricting access to public endpoints, hardening configurations by disabling open defaults like unauthenticated admin panels, enforcing least privilege to control root access and limit elevated permissions, monitoring for shadow AI through workload audits for unauthorized models and packages, and implementing data guardrails to filter prompts and outputs for sensitive information. The bottom line: AI requires the same level of rigor and protection as any other business-critical system, especially as it becomes deeply embedded across both customer-facing and back-end operations. Runtime Security: No Longer Optional, But Foundational Prevention may reign supreme, but in today’s cloud-native, ephemeral world, runtime visibility is your best shot at catching in motion that slips through the cracks.

The Case for Real-Time Threat Detection
Runtime detection isn’t just a defensive layer—it’s a strategic necessity in today’s cloud-native environments. With 60% of containers living for one minute or less and CI/CD pipelines emerging as high-value targets due to misconfigurations and insecure defaults, the window to detect and respond is incredibly narrow. Cloud attacks now unfold in 10 minutes or less, prompting the creation of the
555 Cloud Detection and Response Benchmark: a framework that guides security teams to detect threats in 5 seconds, investigate in 5 minutes, and respond within the next 5 minutes. Why Runtime Context Matters Traditional vulnerability scans bury teams under noise.
But less than 6% of high and critical vulnerabilities are active in production. That means the rest are distractions. Runtime insights help security teams:
Prioritize real risks: Focus remediation on vulnerabilities loaded into memory. Reduce noise; Cut vulnerability lists by up to 99%.
Collaborate better: Provide developers with clear, contextual remediation steps. The CI/CD Pipeline: A Growing Target CI/CD workflows sit at the heart of modern DevOps, enabling rapid, automated delivery. But in 2025, they’ve also emerged as an attractive and increasingly exploited attack surface. From repository compromises to misconfigured automation, attackers are finding creative ways to infiltrate build systems—often before code even reaches production.

Several high-impact vulnerabilities uncovered this year reveal just how exposed the CI/CD pipeline can be. These incidents serve as a wake-up call: your build system is part of your attack surface—and without real-time visibility, you might not spot an attack until it’s too late. Tools like Falco and Falco Actions are helping defenders stay one step ahead by detecting threats as they execute, not after the damage is done. Open Source: The Heart of Modern Security Innovation Security has always been about community.

Attackers share tools, and defenders must too. Open source tools now power much of the modern cloud defense strategy. Falco has evolved from a basic intrusion detection system (IDS) into a powerful real-time detection engine, now supporting eBPF for deeper visibility into cloud-native environments, all with the support of the open source community. It integrates with tools like Falco Actions, Falcosidekick, and Falco Talon to provide broader control, automation, and workflow customization.

This makes Falco especially valuable in regulated sectors such as finance, health care, and government, where self-hosted deployments and custom detection rules are critical for compliance and control. The EU Data Act and the Rise of Sovereign Security With regulations like the EU Data Act taking effect in September 2025, organizations are required to control and localize their data. Open source plays a critical role in meeting these requirements by enabling self-hosted deployments, offering transparent codebases for audit and compliance, and fostering community-driven innovation that supports trust and flexibility. Found this article interesting?

This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Microsoft Discloses Exchange Server Flaw Enabling Silent Cloud Access in Hybrid Setups

Microsoft has released an advisory for a high-severity security flaw affecting on-premise versions of Exchange Server that could allow an attacker to gain elevated privileges under certain conditions. The vulnerability, tracked as CVE-2025-53786 , carries a CVSS score of 8.0. Dirk-jan Mollema with Outsider Security has been acknowledged for reporting the bug. “In an Exchange hybrid deployment, an attacker who first gains administrative access to an on-premises Exchange server could potentially escalate privileges within the organization’s connected cloud environment without leaving easily detectable and auditable traces,” the tech giant said in the alert.

“This risk arises because Exchange Server and Exchange Online share the same service principal in hybrid configurations.” Successful exploitation of the flaw could allow an attacker to escalate privileges within the organization’s connected cloud environment without leaving easily detectable and auditable traces, the company added. However, the attack hinges on the threat actor already having administrator access to an Exchange Server. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in a bulletin of its own, said the vulnerability could impact the identity integrity of an organization’s Exchange Online service if left unpatched.

As mitigations, customers are recommended to review Exchange Server security changes for hybrid deployments, install the April 2025 Hot Fix (or newer), and follow the configuration instructions . “If you’ve previously configured Exchange hybrid or OAuth authentication between Exchange Server and your Exchange Online organization but no longer use it, make sure to reset the service principal’s keyCredentials ,” Microsoft said. In a presentation at the Black Hat USA 2025 security conference, Mollema said on-premise versions of Exchange Server have a certificate credential that’s used to authenticate to Exchange online and allow OAuth in hybrid scenarios. These certificates can be leveraged to request Service-to-Service ( S2S ) actor tokens from Microsoft’s Access Control Service ( ACS ), ultimately providing unfettered access to Exchange Online and SharePoint without any Conditional Access or security checks.

More importantly, these tokens can be used to impersonate any hybrid user within the tenant for a 24-hour period when the “ trustedfordelegation “ property is set, and leave no logs when they are issued. As mitigations, Microsoft plans to enforce mandatory separation of Exchange on-premises and Exchange Online service principals by October 2025. The development comes as the Windows maker said it will begin temporarily blocking Exchange Web Services (EWS) traffic using the Exchange Online shared service principal starting this month in an effort to increase the customer adoption of the dedicated Exchange hybrid app and improve the security posture of the hybrid environment. Microsoft’s advisory for CVE-2025-53786 also coincides with CISA’s analysis of various malicious artifacts deployed following the exploitation of recently disclosed SharePoint flaws , collectively tracked as ToolShell.

This includes two Base64-encoded DLL binaries and four Active Server Page Extended (ASPX) files that are designed to retrieve machine key settings within an ASP.NET application’s configuration and act as a web shell to execute commands and upload files. “Cyber threat actors could leverage this malware to steal cryptographic keys and execute a Base64-encoded PowerShell command to fingerprint the host system and exfiltrate data,” the agency said . CISA is also urging entities to disconnect public-facing versions of Exchange Server or SharePoint Server that have reached their end-of-life (EOL) or end-of-service from the internet, not to mention discontinue the use of outdated versions. CISA Issues Emergency Directive The U.S.

cybersecurity agency, on August 7, 2025, issued an emergency directive ( ED 25-02 ), requiring Federal Civilian Executive Branch (FCEB) agencies with Microsoft Exchange hybrid environments to implement required mitigations by 9 a.m. EDT on Monday, August 11, 2025. “This vulnerability presents significant risk to all organizations operating Microsoft Exchange hybrid-joined configurations that have not yet implemented the April 2025 patch guidance,” CISA said . CISA further noted that immediate mitigation of CVE-2025-53786 is critical and that the issue poses severe risks to organizations operating Microsoft Exchange hybrid-joined configurations that have not yet followed the April 2025 patch guidance The concerns stem from the fact that an attacker, who has established administrative access on the on-premises Exchange server, could escalate privileges and gain significant control of a victim’s Microsoft 365 Exchange Online environment.

(The story was updated after publication to include details of an emergency directive issued by CISA.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

6,500 Axis Servers Expose Remoting Protocol; 4,000 in U.S. Vulnerable to Exploits

Cybersecurity researchers have disclosed multiple security flaws in video surveillance products from Axis Communications that, if successfully exploited, could expose them to takeover attacks. “The attack results in pre-authentication remote code execution on Axis Device Manager, a server used to configure and manage fleets of cameras, and the Axis Camera Station, client software used to view camera feeds,” Claroty researcher Noam Moshe said . “Furthermore, using internet scans of exposed Axis.Remoting services, an attacker can enumerate vulnerable servers and clients, and carry out granular, highly targeted attacks.” The list of identified flaws is below - CVE-2025-30023 (CVSS score: 9.0) - A flaw in the communication protocol used between client and server that could lead to an authenticated user performing a remote code execution attack (Fixed in Camera Station Pro 6.9, Camera Station 5.58, and Device Manager 5.32) CVE-2025-30024 (CVSS score: 6.8) - A flaw in the communication protocol used between client and server that could be leveraged to execute an adversary-in-the-middle (AitM) attack (Fixed in Device Manager 5.32) CVE-2025-30025 (CVSS score: 4.8) - A flaw in the communication protocol used between the server process and the service control that could lead to a local privilege escalation (Fixed in Camera Station Pro 6.8 and Device Manager 5.32) CVE-2025-30026 (CVSS score: 5.3) - A flaw in the Axis Camera Station Server that could lead to an authentication bypass (Fixed in Camera Station Pro 6.9 and Camera Station 5.58) Successful exploitation of the aforementioned vulnerabilities could allow an attacker to assume an AitM position between the Camera Station and its clients, effectively making it possible to alter requests/responses and execute arbitrary actions on either the server or client systems. There is no evidence that the issues have been exploited in the wild.

Claroty said it found more than 6,500 servers that expose the proprietary Axis.Remoting protocol and its services over the internet, out of which nearly 4,000 of them are located in the U.S. “Successful exploits give attackers system-level access on the internal network and the ability to control each of the cameras within a specific deployment,” Moshe noted. “Feeds can be hijacked, watched, and/or shut down. Attackers can exploit these security issues to bypass authentication to the cameras and gain pre-authentication remote code execution on the devices.” Found this article interesting?

SonicWall Confirms Patched Vulnerability Behind Recent VPN Attacks, Not a Zero-Day

SonicWall has revealed that the recent spike in activity targeting its Gen 7 and newer firewalls with SSL VPN enabled is related to an older, now-patched bug and password reuse. “We now have high confidence that the recent SSL VPN activity is not connected to a zero-day vulnerability,” the company said . “Instead, there is a significant correlation with threat activity related to CVE-2024-40766.” CVE-2024-40766 (CVSS score: 9.3) was first disclosed by SonicWall in August 2024, calling it an improper access control issue that could allow malicious actors unauthorized access to the devices. “An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and, in specific conditions, causing the firewall to crash,” it noted in an advisory at the time.

SonicWall also said it’s investigating less than 40 incidents related to this activity, and that many of the incidents are related to migrations from Gen 6 to Gen 7 firewalls without resetting the local user passwords, a crucial recommended action as part of CVE-2024-40766. Furthermore, the company pointed out that SonicOS 7.3 has additional protection against brute-force password and multi-factor authentication (MFA) attacks. The updated guidance offered by the company is below - Update firmware to SonicOS version 7.3.0 Reset all local user account passwords for any accounts with SSLVPN access, particularly those that were carried over during migration from Gen 6 to Gen 7 Enable Botnet Protection and Geo-IP Filtering Enforce MFA and strong password policies Remove unused or inactive user accounts The development comes as multiple security vendors reported observing a surge in attacks exploiting SonicWall SSL VPN appliances for Akira ransomware attacks. Last year, Arctic Wolf disclosed that threat actors associated with Akira and Fog are targeting SonicWall SSL VPNs that are unpatched against CVE-2024-40766 to breach victim networks between August and mid-October 2024.

Cybersecurity company Huntress told The Hacker News that it continues to see organizations impacted by threat actors targeting SonicWall Gen 7 firewall appliances, adding a total of at least 28 incidents have been recorded from this activity cluster as of August 6, 2025. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Researchers Uncover ECScape Flaw in Amazon ECS Enabling Cross-Task Credential Theft

Cybersecurity researchers have demonstrated an “end-to-end privilege escalation chain” in Amazon Elastic Container Service ( ECS ) that could be exploited by an attacker to conduct lateral movement, access sensitive data, and seize control of the cloud environment. The attack technique has been codenamed ECScape by Sweet Security researcher Naor Haziz, who presented the findings today at the Black Hat USA security conference that’s being held in Las Vegas. “We identified a way to abuse an undocumented ECS internal protocol to grab AWS credentials belonging to other ECS tasks on the same EC2 instance,” Haziz said in a report shared with The Hacker News. “A malicious container with a low‑privileged IAM [Identity and Access Management] role can obtain the permissions of a higher‑privileged container running on the same host.” Amazon ECS is a fully-managed container orchestration service that allows users to deploy, manage, and scale containerized applications, while integrating with Amazon Web Services (AWS) to run container workloads in the cloud.

The vulnerability identified by Sweet Security essentially allows for privilege escalation by allowing a low-privileged task running on an ECS instance to hijack the IAM privileges of a higher-privileged container on the same EC2 machine by stealing its credentials. In other words, a malicious app in an ECS cluster could assume the role of a more privileged task. This is facilitated by taking advantage of a metadata service running at 169.254.170[.]2 that exposes the temporary credentials associated with the task’s IAM role. While this approach ensures that each task gets credentials for its IAM role and they are delivered at runtime, a leak of the ECS agent’s identity could permit an attacker to impersonate the agent and obtain credentials for any task on the host.

The entire sequence is as follows - Obtain the host’s IAM role credentials (EC2 Instance Role) so as to impersonate the agent Discover the ECS control plane endpoint that the agent talks to Gather the necessary identifiers (cluster name/ARN, container instance ARN, Agent version information, Docker version, ACS protocol version, and Sequence number) to authenticate as the agent using the Task Metadata endpoint and ECS introspection API Forge and sign the Agent Communication Service (ACS) WebSocket Request impersonating the agent with the sendCredentials parameter set to “true” Harvest credentials for all running tasks on that instance “The forged agent channel also remains stealthy,” Haziz said. “Our malicious session mimics the agent’s expected behavior – acknowledging messages, incrementing sequence numbers, sending heartbeats – so nothing seems amiss.” “By impersonating the agent’s upstream connection, ECScape completely collapses that trust model: one compromised container can passively collect every other task’s IAM role credentials on the same EC2 instance and immediately act with those privileges.” ECScape can have severe consequences when running ECS tasks on shared EC2 hosts, as it opens the door to cross-task privilege escalation, secrets exposure, and metadata exfiltration. Following responsible disclosure, Amazon has emphasized the need for customers to adopt stronger isolation models where applicable, and make it clear in its documentation that there is no task isolation in EC2 and that “containers can potentially access credentials for other tasks on the same container instance.” As mitigations, it’s advised to avoid deploying high-privilege tasks alongside untrusted or low-privilege tasks on the same instance, use AWS Fargate for true isolation, disable or restrict the instance metadata service (IMDS) access for tasks, limit ECS agent permissions, and set up CloudTrail alerts to detect unusual usage of IAM roles. “The core lesson is that you should treat each container as potentially compromiseable and rigorously constrain its blast radius,” Haziz said.

“AWS’s convenient abstractions (task roles, metadata service, etc.) make life easier for developers, but when multiple tasks with different privilege levels share an underlying host, their security is only as strong as the mechanisms isolating them – mechanisms which can have subtle weaknesses.” The development comes in the wake of several cloud-related security weaknesses that have been reported in recent weeks - A race condition in Google Cloud Build’s GitHub integration that could have allowed an attacker to bypass maintainer review and build un-reviewed code after a “/gcbrun” command is issued by the maintainer A remote code execution vulnerability in Oracle Cloud Infrastructure (OCI) Code Editor that an attacker could use to hijack a victim’s Cloud Shell environment and potentially pivot across OCI services by tricking a victim, already logged into Oracle Cloud, to visit a malicious HTML page hosted on a server by means of a drive-by attack An attack technique called I SPy that exploits a Microsoft first-party application’s Service principal (SP) in Entra ID for persistence and privilege escalation via federated authentication A privilege escalation vulnerability in the Azure Machine Learning service that allows an attacker with only Storage Account access to modify invoker scripts stored in the AML storage account and execute arbitrary code within an AML pipeline, enabling them to extract secrets from Azure Key Vaults, escalate privileges, and gain broader access to cloud resources A scope vulnerability in the legacy AmazonGuardDutyFullAccess AWS managed policy that could allow a full organizational takeover from a compromised member account by registering an arbitrary delegated administrator An attack technique that abuses Azure Arc for privilege escalation by leveraging the Azure Connected Machine Resource Administrator role and as a persistence mechanism by setting up as command-and-control (C2) A case of over-privileged Azure built-in Reader roles and a vulnerability in Azure API that could be chained by an attacker to leak VPN keys and then use the key to gain access to both internal cloud assets and on-premises networks A supply chain compromise vulnerability in Google Gerrit called GerriScary that enabled unauthorized code submissions to at least 18 Google projects, including ChromiumOS ( CVE-2025-1568 , CVSS score: 8.8), Chromium, Dart, and Bazel, by exploiting misconfigurations in the default “addPatchSet” permission, the voting system’s label handling, and a race condition with bot code-submission timings during the code merge process A Google Cloud Platform misconfiguration that exposed the subnetworks used for member exchanges at Internet Exchange Points (IXPs), thereby allowing attackers to potentially abuse Google’s cloud infrastructure to gain unauthorized access to internal IXP LANs. An extension of a Google Cloud privilege escalation vulnerability called ConfusedFunction that can be adapted to other cloud platforms like AWS and Azure using AWS Lambda and Azure Functions, respectively, in addition to extending it to perform environment enumeration “The most effective mitigation strategy to protect your environment from similar threat actor behavior is to ensure that all SAs [Service Account] within your cloud environment adhere to the principle of least privilege and that no legacy cloud SAs are still in use,” Talos said. “Ensure that all cloud services and dependencies are up to date with the latest security patches. If legacy SAs are present, replace them with least-privilege SAs.” Found this article interesting?