Author: Mark

Jul 14, 2025The Hacker NewsSecrets Management / SaaS Security

While phishing and ransomware dominate headlines, another critical risk quietly persists across most enterprises: exposed Git repositories leaking sensitive data. A risk that silently creates shadow access into core systems

Git is the backbone of modern software development, hosting millions of repositories and serving thousands of organizations worldwide. Yet, amid the daily hustle of shipping code, developers may inadvertently leave behind API keys, tokens, or passwords in configuration files and code files, effectively handing attackers the keys to the kingdom.

This isn’t just about poor hygiene; it’s a systemic and growing supply chain risk. As cyber threats become more sophisticated, so do compliance requirements. Security frameworks like NIS2, SOC2, and ISO 27001 now demand proof that software delivery pipelines are hardened and third-party risk is controlled. The message is clear: securing your Git repositories is no longer optional, it’s essential.

Below, we look at the risk profile of exposed credentials and secrets in public and private code repositories, how this attack vector has been used in the past, and what you can do to minimize your exposure.

The Git Repo Threat Landscape

The threat landscape surrounding Git repositories is expanding rapidly, driven by a number of causes:

• Growing complexity of DevOps practices
• Widespread reliance on public version control platforms like GitHub
• Human error and all the misconfigurations that entail: from poorly applied access controls to forgotten test environments pushed to production

It’s no surprise that as development velocity increases, so does the opportunity for attackers to weaponize exposed code repositories. GitHub alone reported over 39 million leaked secrets in 2024—a 67% increase from the year before. These included cloud credentials, API tokens, and SSH keys. Most of these exposures originate from:

• Personal developer accounts
• Abandoned or forked projects
• Misconfigured or unaudited repositories

For attackers, these aren’t just mistakes, they’re entry points. Exposed Git repos offer a direct, low-friction pathway into internal systems and developer environments. What starts as a small oversight can escalate into a full-blown compromise, often without triggering any alerts.

How Do Attackers Leverage Exposed Git Repositories?

Public tools and scanners make it trivial to harvest secrets from exposed Git repositories, and attackers know how to pivot quickly from exposed code to compromised infrastructure.

Once inside a repository, attackers look for:

• Secrets and credentials: API keys, authentication tokens, and passwords. Often hidden in plain sight within config files or commit history.
• Infrastructure intel: Details about Internal systems such as hostnames, IPs, ports, or architectural diagrams.
• Business logic: Source code that can reveal vulnerabilities in authentication, session handling, or API access.

These insights are then weaponized for:

• Initial access: Attackers use valid credentials to authenticate into:
  • Cloud environments — e.g., AWS IAM roles via exposed access keys, Azure Service Principals
  • Databases — e.g., MongoDB, PostgreSQL, MySQL using hardcoded connection strings
  • SaaS platforms — leveraging API tokens found in config files or commit history
• Lateral movement: Once inside, attackers pivot further by:
  • Enumerating internal APIs using exposed OpenAPI/Swagger specs
  • Accessing CI/CD pipelines using leaked tokens from GitHub Actions, GitLab CI, or Jenkins
  • Using misconfigured permissions to move across internal services or cloud accounts
• Persistence and exfiltration: To maintain access and extract data over time, they:
  • Create new IAM users or SSH keys to stay embedded
  • Deploy malicious Lambda functions or containers to blend in with normal workloads
  • Exfiltrate data from S3 buckets, Azure Blob Storage, or logging platforms like CloudWatch and Log Analytics

A single leaked AWS key can expose an entire cloud footprint. A forgotten .git/config file or stale commit may still contain live credentials.

These exposures often bypass traditional perimeter defenses entirely. We’ve seen attackers pivot from exposed Git repositories → to developer laptops → to internal networks. This threat isn’t theoretical, it’s a kill chain we’ve validated in live production environments using Pentera.

Recommended Mitigation Strategies

Reducing exposure risk starts with the basics. While no single control can eliminate Git-based attacks, the following practices help reduce the likelihood of secrets leaking – and limit the impact when they do.

1. Secrets Management

• Store secrets outside your codebase using dedicated secret management solutions like HashiCorp Vault (open source), AWS Secrets Manager, or Azure Key Vault. These tools provide secure storage, fine-grained access control, and audit logging.
• Avoid hardcoding secrets in source files or configuration files. Instead, inject secrets at runtime via environment variables or secure APIs.
• Automate secret rotation to reduce the window of exposure.

2. Code Hygiene

• Enforce strict .gitignore policies to exclude files that may contain sensitive information, such as .env, config.yaml, or credentials.json.
• Integrate scanning tools like Gitleaks, Talisman, and git-secrets into developer workflows and CI/CD pipelines to catch secrets before they’re committed.

3. Access Controls

• Enforce the principle of least privilege across all Git repositories. Developers, CI/CD tools, and third-party integrations should only have the access they need – no more.
• Use short-lived tokens or time-bound credentials wherever possible.
• Enforce multi-factor authentication (MFA) and single sign-on (SSO) on Git platforms.
• Regularly audit user and machine access logs to identify excessive privileges or suspicious behavior.

Find Exposed Git Data Before Attackers Do

Exposed Git repositories are not an edge-case risk, but a mainstream attack vector especially in fast-moving DevOps environments. While secret scanners and hygiene practices are essential, they often fall short of providing the full picture. Attackers aren’t just reading your code; they’re using it as a map to walk right into your infrastructure.

Yet, even teams using best practices are left blind to one critical question: could an attacker actually use this exposure to break in? Securing your repositories requires more than just static checks. It calls for continuous validation, proactive remediation, and an adversary’s mindset. As compliance mandates tighten and attack surfaces expand, organizations must treat code exposure as a core part of their security strategy and not as an afterthought.

To learn more about how your team can do this, join the webinar They’re Out to Git You on July 23rd, 2025

Jul 14, 2025Ravie LakshmananMalware / Web Security

Threat actors behind the Interlock ransomware group have unleashed a new PHP variant of its bespoke remote access trojan (RAT) as part of a widespread campaign using a variant of ClickFix called FileFix.

“Since May 2025, activity related to the Interlock RAT has been observed in connection with the LandUpdate808 (aka KongTuke) web-inject threat clusters,” The DFIR Report said in a technical analysis published today in collaboration with Proofpoint.

“The campaign begins with compromised websites injected with a single-line script hidden in the page’s HTML, often unbeknownst to site owners or visitors.”

The JavaScript code acts as a traffic distribution system (TDS), using IP filtering techniques to redirect users to fake CAPTCHA verification pages that leverage ClickFix to entice them into running a PowerShell script that leads to the deployment of NodeSnake (aka Interlock RAT).

The use of NodeSnake by Interlock was previously documented by Quorum Cyber as part of cyber attacks targeting local government and higher education organizations in the United Kingdom in January and March 2025. The malware facilitates persistent access, system reconnaissance, and remote command execution capabilities.

While the name of the malware is a reference to its Node.js foundations, new campaigns observed last month have led to the distribution of a PHP variant by means FileFix. The activity is assessed to be opportunistic in nature, aiming for a broad range of industries.

“This updated delivery mechanism has been observed deploying the PHP variant of the Interlock RAT, which in certain cases has then led to the deployment of the Node.js variant of the Interlock RAT,” the researchers said.

FileFix is an evolution of ClickFix that takes advantage of the Windows operating system’s ability to instruct victims into copying and executing commands using the File Explorer’s address bar feature. It was first detailed as a proof-of-concept (PoC) last month by security researcher mrd0x.

Once installed, the RAT malware carries out reconnaissance of the infected host and exfiltrate system information in JSON format. It also checks its own privileges to determine if it’s being run as USER, ADMIN, or SYSTEM, and establishes contact with a remote server to download and run EXE or DLL payloads.

Persistence on the machine is accomplished via Windows Registry changes, while the Remote Desktop Protocol (RDP) is used to enable lateral movement.

A noteworthy feature of the trojan is its abuse of Cloudflare Tunnel subdomains to obscure the true location of the command-and-control (C2) server. The malware further embeds hard-coded IP addresses as a fallback mechanism so as to ensure that the communication remains intact even if the Cloudflare Tunnel is taken down.

“This discovery highlights the continued evolution of the Interlock group’s tooling and their operational sophistication,” the researchers said. “While the Node.js variant of Interlock RAT was known for its use of Node.js, this variant leverages PHP, a common web scripting language, to gain and maintain access to victim networks.”

In cybersecurity, precision matters—and there’s little room for error. A small mistake, missed setting, or quiet misconfiguration can quickly lead to much bigger problems. The signs we’re seeing this week highlight deeper issues behind what might look like routine incidents: outdated tools, slow response to risks, and the ongoing gap between compliance and real security.

For anyone responsible for protecting systems, the key isn’t just reacting to alerts—it’s recognizing the larger patterns and hidden weak spots they reveal.

Here’s a breakdown of what’s unfolding across the cybersecurity world this week.

⚡ Threat of the Week

NCA Arrests for Alleged Scattered Spider Members — The U.K. National Crime Agency (NCA) announced that four people have been arrested in connection with cyber attacks targeting major retailers Marks & Spencer, Co-op, and Harrods. The arrested individuals include two men aged 19, a third aged 17, and a 20-year-old woman. They were apprehended in the West Midlands and London on suspicion of Computer Misuse Act offenses, blackmail, money laundering, and participating in the activities of an organized crime group. They are believed to be associated with the notorious cybercrime group known as Scattered Spider, an offshoot of a loose-knit collective called The Com, which is responsible for a vast catalog of crimes, including social engineering, phishing, SIM swapping, extortion, sextortion, swatting, kidnapping, and murder.

🔔 Top News

• PerfektBlue Bluetooth Flaws Expose Millions of Vehicles to Remote Attacks — Cybersecurity researchers have discovered a set of four security flaws in OpenSynergy’s BlueSDK Bluetooth stack that, if successfully exploited, could allow remote code execution on millions of transport vehicles from Mercedes-Benz, Volkswagen, and Skoda. “PerfektBlue exploitation attack is a set of critical memory corruption and logical vulnerabilities found in OpenSynergy BlueSDK Bluetooth stack that can be chained together to obtain Remote Code Execution (RCE),” PCA Cyber Security said. Volkswagen said the identified issues exclusively concern Bluetooth and that neither is vehicle safety nor integrity affected. It also noted that exploitation of the vulnerabilities is only possible when several conditions are met simultaneously.
• North Korean Hacker Behind Fraudulent IT Worker Scheme Sanctioned — The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on Tuesday sanctioned a member of a North Korean hacking group called Andariel for their role in the infamous remote information technology (IT) worker scheme. Song Kum Hyok, 38, is alleged to have enabled the fraudulent operation by using foreign-hired IT workers to seek remote employment with U.S. companies and planning to split income with them. The sanctions mark the first time a threat actor linked to Andariel, a sub-cluster within the Lazarus Group, has been tied to the IT worker scheme. “While the Treasury’s announcement marks a formal public association of the Andariel (APT45) hacking group with North Korea’s remote IT worker operation, the connection reflects a much broader and long-running pattern,” Michael “Barni” Barnhart, Principal i3 Insider Risk Investigator at DTEX, told The Hacker News.
• Chinese Hacker Arrested for Silk Typhoon Attacks — A Chinese national has been arrested in Milan, Italy, for his alleged links to a state-sponsored hacking group known as Silk Typhoon and for carrying out cyber attacks against American organizations and government agencies. Xu Zewei, 33, has been accused of being involved in the U.S. computer intrusions between February 2020 and June 2021, including a mass attack spree that leveraged then-zero-day flaws in Microsoft Exchange Server, a cluster of activity the Windows maker designed as Hafnium. Xu, alongside co-defendant and Chinese national Zhang Yu, are believed to have undertaken the attacks based on directions issued by the Ministry of State Security’s (MSS) Shanghai State Security Bureau (SSSB).
• Threat Weaponize Leaked Version of Shellter to Distributed Stealers — Hackers are exploiting a popular red teaming tool called Shellter to distribute stealer malware and remote access trojans. The campaigns are believed to have started in April 2025, around the same time a company that procured a licensed version of the software leaked a copy on cybercrime forums. “Although the Shellter Project is a victim in this case through intellectual property loss and future development time, other participants in the security space must now contend with real threats wielding more capable tools,” Elastic Security Labs said.
• Fortinet Patches Critical SQL Injection Flaw — Fortinet has released fixes for a critical security flaw impacting FortiWeb that could enable an unauthenticated attacker to run arbitrary database commands on susceptible instances. Tracked as CVE-2025-25257, the vulnerability carries a CVSS score of 9.6 out of a maximum of 10.0. According to watchTowr Labs, the problem is rooted in the fact that a Bearer token Authorization header in a specially crafted HTTP request is passed directly to an SQL database query without adequate sanitization to make sure that it’s not harmful and does not include any malicious code. The disclosure comes as Sonar detailed multiple vulnerabilities in Fortinet’s FortiClient (CVE-2025-25251, CVE-2025-31365, CVE-2025-22855, CVE-2025-22859, and CVE-2025-31366) that, when chained together, grants an attacker complete organizational control with minimal user interaction. CVE-2025-22859 “enables an authenticated attacker to upload a stored XSS payload to a Linux-based EMS server,” security researcher Yaniv Nizry said. “Exploiting this vulnerability, an attacker can manipulate an EMS user into clicking a malicious link, forcing all registered endpoints to switch connection to a malicious EMS server without any interaction from the clients. This makes them susceptible to arbitrary code execution.”

‎️‍🔥 Trending CVEs

Hackers are quick to jump on newly discovered software flaws – sometimes within hours. Whether it’s a missed update or a hidden bug, even one unpatched CVE can open the door to serious damage. Below are this week’s high-risk vulnerabilities making waves. Review the list, patch fast, and stay a step ahead.

This week’s list includes — CVE-2025-47227, CVE-2025-47228 (ScriptCase), CVE-2025-24269, CVE-2025-24235 (SMBClient), CVE-2025-30012, CVE-2025-42963, CVE-2025-42964, CVE-2025-42966, and CVE-2025-42980 (SAP), CVE-2025-52488 (DNN), CVE-2025-44954, CVE-2025-44955, CVE-2025-44957, CVE-2025-44958, CVE-2025-44960, CVE-2025-44961, CVE-2025-44962, CVE-2025-44963, CVE-2025-6243 (Ruckus Wireless), CVE-2025-52434, CVE-2025-52520, CVE-2025-53506 (Apache Tomcat), CVE-2025-6948 (GitLab CE/EE), CVE-2025-0141 (Palo Alto Networks GlobalProtect App), CVE-2025-6691 (SureForms plugin), CVE-2025-7206 (D-Link DIR-825), CVE-2025-32353, CVE-2025-32874 (Kaseya RapidFire Tools Network Detective), CVE-2025-7026, CVE-2025-7027, CVE-2025-7028, CVE-2025-7029 (Gigabyte UEFI), CVE-2025-1727 (End-of-Train and Head-of-Train devices), and a critical double free vulnerability in the Linux kernel’s pipapo set module.

📰 Around the Cyber World

• Atomic Stealer Gets a Backdoor Feature — The macOS information stealer known as Atomic Stealer (aka AMOS) has been updated with an embedded backdoor to obtain persistent access to compromised systems. The new component allows executing arbitrary remote commands, gaining full user-level access, and even surviving reboots, allowing attackers to maintain control over infected hosts indefinitely. According to Moonlock Lab, campaigns distributing Atomic have recently shifted from broad distribution channels like cracked software sites to targeted phishing aimed at cryptocurrency owners and using staged job interview invitations to infect freelancers. The United States, France, Italy, the United Kingdom, and Canada are among the most affected by the stealer malware. It is only the second known case of backdoor deployment at a global scale targeting macOS users, after North Korea. “The upgrade to AMOS represents a significant escalation in both capability and intent, whether the changes were made by the original malware authors or by someone else modifying the code,” the company said. “It’s clear that the Russia-affiliated authors of Atomic macOS Stealer are following in the footsteps of North Korean attack groups.”

• Call of Duty Makers Takes Game Offline After Reports of RCE Exploit — The makers of Call of Duty: World War 2 announced that the PC version of the game has been taken offline following “reports of an issue.” The issue appears to be a security problem, specifically a remote code execution (RCE) vulnerability in the popular video game that could allow an attacker to take over others’ PCs during live multi-player matches. The RCE exploit has been found to be abused to open command prompts on victim PCs, send mocking messages via Notepad, and forcibly shut down players’ computers, among others. Activision has not officially commented on the issue, but it’s said to be working to remediate the bug.
• BaitTrap Uses Over 17K Sites to Push Scams — A network of more than 17,000 websites is mimicking trusted brands, including CNN, BBC and CNBC, to redirect visitors to online scams. The BaitTrap network uses Google and Meta ads, social media posts, and YouTube videos to lure victims. The bogus sites typically collect personal information and attempt to hijack online crypto accounts. They target audiences in more than 50 countries all over the globe. The sites publish fake stories featuring prominent public figures, including national leaders and central bank governors, and falsely link those figures to “fabricated investment schemes in order to build trust and get engagement from victims.”
• Dutch Police Arrest 5 Phishing Gang Members — Dutch police have arrested five members of a phishing gang that operated out of the city of Lelystad. Four of the group’s members are teenagers aged 14 to 17. Authorities said the suspects used QR codes sent via email to collect login credentials for local banks. In a related law enforcement development, Nepalese authorities have apprehended 52 people for allegedly running online dating and crypto investment scams. The group ran a call center and a dating app called METOO to lure young Nepali women and facilitate fraudulent online transactions. Six of the detained suspects are Chinese and are believed to have managed the operation.
• German Court Orders Meta to Pay €5K Over GDPR Violation — A German court has ruled that Meta must pay €5,000 ($5,900) to a German Facebook user who sued the platform for embedding its Pixel tracking technology in third-party websites. The ruling could open the door to large fines down the road over data privacy violations relating to similar tracking tools. The Regional Court of Leipzig in Germany ruled that Meta tracking pixels and software development kits embedded in countless websites and apps collect users’ data without their consent and violate the continent’s General Data Protection Regulation (GDPR). “Every user is individually identifiable to Meta at all times as soon as they visit the third-party websites or use an app, even if they have not logged in via the Instagram and Facebook account,” the court said.
• LFI Flaw in Microsoft Export to PDF Feature — A Local File Inclusion (LFI) vulnerability has been disclosed in Microsoft 365’s Export to PDF functionality, potentially allowing attackers to access sensitive internal data when converting HTML documents to PDF. The vulnerability, reported by security researcher Gianluca Baldi, was subsequently patched by Microsoft, earning them a $3,000 bounty reward. “It turned out there was an undocumented behavior that allowed converting from HTML to PDF files,” Baldi said. “By embedding specific tags (<embed>, <object>, and <iframe>) into the HTML content, an attacker could force the inclusion of local files from the server’s file system into the resulting PDF—even files located outside the server’s root directory.”
• Unpatched Flaws in Ruckus Wireless — Multiple unpatched security flaws have been disclosed (CVE-2025-44954, CVE-2025-44955, CVE-2025-44957, CVE-2025-44958, CVE-2025-44960, CVE-2025-44961, CVE-2025-44962, CVE-2025-44963, and CVE-2025-6243) in Ruckus Wireless management products Virtual SmartZone (vSZ) and Network Director (RND) could be exploited by an attacker to leak sensitive information and compromise the wireless environment. The flaws include authentication bypass, hard-coded secrets, arbitrary file read by authenticated users, and unauthenticated remote code execution. “An attacker with network access to Ruckus Wireless vSZ can exploit CVE-2025-44954 to gain full administrator access that will lead to total compromise of the vSZ wireless management environment,” CERT/CC said. “Furthermore, multiple vulnerabilities can be chained to create chained attacks that can allow the attacker to combine attacks to bypass any security controls that prevent only specific attacks.” Noam Moshe of Claroty Team82 has been credited with discovering and reporting the issues. In the absence of patches, users are advised to limit access to trusted users and their authenticated clients to manage the infrastructure via a secure protocol like HTTPS or SSH.
• Security Flaws in Gigabyte UEFI — Multiple security flaws have been disclosed in UEFI modules present in Gigabyte firmware (CVE-2025-7026, CVE-2025-7027, CVE-2025-7028, and CVE-2025-7029) that an attacker could exploit to elevate privileges and execute arbitrary code in the System Management Mode (SMM) environment of a UEFI-supported processor. “An attacker with local or remote administrative privileges may exploit these vulnerabilities to execute arbitrary code in System Management Mode (Ring -2), bypassing OS-level protections,” CERT/CC said. “These vulnerabilities can be triggered via SMI handlers from within the operating system, or in certain cases, during early boot phases, sleep states, or recovery modes – before the OS fully loads.” Successful exploitation of the vulnerabilities can disable UEFI security mechanisms such as Secure Boot and Intel BootGuard, facilitating stealthy firmware implants and persistent control over the system. The flaws were discovered and reported by Binarly.
• Android did not have a patch for the first time in July 2025 in a Decade — Google announced that no security patches have been released for Android and Pixel devices for the month of July 2025, ending a decade-long streak of security updates. This is the first month no security updates have been released since Google started rolling out monthly Android fixes in August 2015.
• Indonesia Extradites Russian National for Selling Personal Data on Telegram — Indonesia has extradited a Russian citizen named Alexander Zverev for allegedly running a Telegram channel that sold personal data obtained from law enforcement databases. Russian authorities claimed that Zverev operated an unnamed criminal network between 2018 and 2021 that profited from selling sensitive personal information sourced from databases belonging to Russia’s Interior Ministry (MVD), Federal Security Service (FSB), and mobile phone operators. Subscribers of the Telegram channel could allegedly purchase details about Russian citizens, including private information. Authorities have not disclosed the name of the channel or whether it is currently operational.
• Law Enforcement Catches Up on Ransomware Actors — The Brussels criminal court sentenced the Russian developer of Crylock ransomware to seven years in prison for masterminding the malware’s deployment on thousands of computers. His former co-conspirator, a female involved in advertising Crylock and negotiating with the victims, was sentenced to five years. More than €60 million (~$70 million) in cryptocurrency representing illegal proceeds from the ransomware operation have been seized by law enforcement. The development came as French authorities arrested a 26-year-old Russian basketball player for his alleged role in ransomware attacks. Daniil Kasatkin was arrested on June 21, 2025, at the Charles de Gaulle Airport in Paris at the request of U.S. authorities. It’s alleged that Kasatkin helped an unnamed ransomware gang negotiate ransoms. Kasatkin’s lawyer denied the charges and claimed his client had no technical skills. “He bought a second-hand computer. He did absolutely nothing. He’s shocked,” his lawyer, Frédéric Bélot, told AFP. “He’s useless with computers and can’t even install an application. He didn’t touch anything on the computer: it was either hacked, or the hacker sold it to him to act under the cover of another person.” He’s currently being held pending extradition to the U.S. The ransomware group Kasatkin was allegedly involved with has not been named, but is said to have attacked roughly 900 companies. The U.S. Federal Bureau of Investigation (FBI) said recently that it’s aware of 900 organizations hit by the Play ransomware group.
• RansomedVC Returns After Hiatus; Leaks Medusa Data — The RansomedVC ransomware group has returned after a two-year absence and leaked the internal chat transcripts of the Medusa ransomware group from December 11, 2022, to March 2023. RansomedVC claimed Medusa’s admin “seems completely absent and unresponsive to the needs of his members” and indicated that they may either be trying an exit scam or might have been compromised by law enforcement. “From the transcript and analyzing previous events, the group is mainly focused on targeting Fortinet Access as an SQLi Vulnerability was exploited by the group in 2024 and the current leaked chat that mentions ‘Forti’ also underlines its importance which dates back to 2023,” security researcher Rakesh Krishnan said. The development coincides with the emergence of new players, including BERT. Another ransomware group, SafePay, which emerged last year has since evolved to become “one of the most active and dangerous actors,” mainly targeting managed service providers (MSPs) and small-to-midsize businesses (SMBs). “The group uses classic but effective techniques: RDP- and VPN-based intrusion, credential theft, privilege escalation and living-off-the-land binaries to quietly move through victim networks, exfiltrate sensitive data and then encrypt files,” Acronis said. Ransomware assaults on businesses around the world have increased by 213% in the first quarter of 2025, with 2,314 victims reported over 74 distinct data breach sites, compared to just 1,086 in the first quarter of 2024.
• Disgruntled IT Worker Jailed for Cyber Attack — Mohammed Umar Taj, 31, of Hyrst Garth, Batley, U.K., was sentenced to seven months and 14 days in prison for unlawfully accessing his former employer’s premises, altering login credentials, and changing access credentials and multi-factor authentication configuration to disrupt the company’s operations. He was suspended from work in July 2022.
• Hacker Behind GMX Exchange Returns Assets — An unknown hacker behind the $42 million theft from decentralized exchange GMX has returned the stolen assets in return for a $5 million bug bounty. The development happened after GMX promised not to pursue charges if the hacker returned the funds. In a post-mortem report, the company said it has addressed the root cause in a subsequent update. “Based on a review of the incident by contributors, auditors and security researchers, the root cause of the exploit is a reentrancy attack,” it said. “By utilizing this reentrancy and bypassing the average short price calculations, the attacker was able to open positions and manipulate the average short price for BTC downwards from the initial value of $109,505.77 to $1,913.70.”
• Flaws in Thermomix TM5 Appliance — A security analysis of Thermomix TM5’s has uncovered several weaknesses that could render the kitchen appliance susceptible to firmware downgrade attacks (limited to versions prior to 2.14. Version 2.14) and secure boot bypass, allowing an attacker to gain persistence. “This vulnerability can be chained with the firmware downgrade vulnerability to gain arbitrary code execution and apply a controlled firmware update file without messing up with the NAND flash,” Synacktiv said. “By exploiting these flaws, one can alter the firmware version block to bypass anti-downgrade protections, downgrade the firmware, and potentially execute arbitrary code.”
• API Client Security Risks Detailed — An analysis of API clients like Postman, Insomnia, Bruno, and Hoppscotch has uncovered potential vulnerabilities within their JavaScript sandboxing implementations that could be exploited to achieve code execution. “Running untrusted code without any isolation is, of course, a bad idea, but it is also problematic to use seemingly working solutions such as Node.js’s built-in vm module or the third-party vm2 package,” Sonar researchers Oskar Zeino-Mahmalat and Paul Gerste said. “These are known to have bypasses that let malicious code escape the sandbox and get access to system resources.”
• Ubuntu Turns Off Intel GPU Security Mitigations — Ubuntu has disabled a security feature that protected Intel GPUs against Spectre side-channel attacks. Canonical said it now uses kernel-level protections, making it no longer necessary to have those safeguards. Ubuntu developers can expect the operating system to see a 20% in improvement in performance following the update. “After discussion between Intel and Canonical’s security teams, we are in agreement that Spectre no longer needs to be mitigated for the GPU at the Compute Runtime level,” Ubuntu maintainers said. “At this point, Spectre has been mitigated in the kernel, and a clear warning from the Compute Runtime build serves as a notification for those running modified kernels without those patches. For these reasons, we feel that Spectre mitigations in Compute Runtime no longer offer enough security impact to justify the current performance tradeoff.”
• Botnet Engages in Web Scraping — A new botnet comprising more than 3,600 unique IP addresses has been observed involved in web scraping activity at least since April 19, 2025. The majority of the botnet’s infected hosts are located in Taiwan, Japan, Bulgaria, and France, GreyNoise said, with targeted systems predominantly located in the United States and United Kingdom. “The dominance of Taiwanese IP space could suggest: A common technology or service deployed widely in Taiwan has been compromised, or that local exposure to a shared vulnerability is driving the clustering,” the threat intelligence firm said.
• Czechia Becomes the Latest Country to Issue Warning About DeepSeek — Czechia’s cybersecurity agency, the National Cyber and Information Security Agency (NÚKIB), issued a formal warning detailing the national security risks posed by the use of software provided by Chinese artificial intelligence company DeepSeek. “The primary security concerns stem from insufficient protection of data transmission and handling, from the collection of data types which, in greater volume, may lead to user deanonymization, and lastly, from the legal and political environment of the People’s Republic of China to which the company DeepSeek is fully subject,” NÚKIB said. To that end, the government has banned the use of DeepSeek on state-owned devices, urging the public to be mindful of the information shared with the platform. However, NÚKIB noted that the decision does not apply to open-source large language models (LLMs) developed by the company DeepSeek, provided that their source code is made available for review and can be deployed locally without any contact with servers associated with DeepSeek or its related entities. Several other nations, including Canada, Germany, Italy, the Netherlands, South Korea, and Taiwan, have issued similar warnings.
• TikTok Comes Under E.U. Radar Again — Ireland’s Data Protection Commission (DPC) said it’s opening a probe into TikTok over the transfer of user data in the European Union to servers located in China. “The purpose of the inquiry is to determine whether TikTok has complied with its relevant obligations under the GDPR in the context of the transfers now at issue, including the lawfulness of the transfers [under GDPR],” the DPC said. The development comes a little more than two months after the DPC fined TikTok €530 million ($620 million) for infringing data protection regulations in the region by transferring European users’ data to China and for allowing TikTok’s China-based staff access European user data. TikTok, which is owned by China’s ByteDance, has been the subject of intense scrutiny on both sides of the Atlantic over how it handles personal user information amid concerns that it poses a national security risk. As per stringent data protection laws in the region, European user data can only be transferred outside of the bloc if there are safeguards in place to ensure the same level of protection. TikTok is also facing the heat in the United Kingdom after the First-tier Tribunal ruled that the Information Commissioner’s Office (ICO), the British data regulator, has the power to issue a monetary penalty notice (MPN) to TikTok. The ICO fined TikTok £12.7 million in 2023, but the company argued that “its processing was for artistic purposes, so the ‘special purposes’ provisions applied.”
• Google Details Advanced Protection in Android — Back in May 2025, Google launched Advanced Protection, a security feature that “ensures all of Android’s highest security features are enabled and are seamlessly working together to safeguard you against online attacks, harmful apps, and data risks.” Similar to Lockdown Mode in Apple iOS, iPadOS, and macOS devices, Advanced Protection aims to provide improved guardrails for journalists and other high-risk targets. In Google Chrome, this includes always using secure connections, full site isolation on mobile devices with 4GB+ RAM to keep malicious sites away from legitimate sites, and disabling JavaScript optimizations.
• SatanLock Announces Abrupt Shutdown — SatanLock, a newer ransomware group on the threat landscape, has announced that it will be shutting down. The exact reasons behind the sudden move is unclear. The group first emerged in early April, and published 67 victims within a span of a month. However, Check Point found that 65% of these victims had already been listed by other ransomware groups.
• Russia Rejects Law to Legalize White-Hat Hacking — Russia’s State Duma has rejected legislation that would have legalized ethical hacking, citing national security concerns. Politicians expressed worries that finding vulnerabilities found in software made by companies headquartered in hostile countries would require sharing them, which, in turn, could lead to those nations abusing the defects for strategic gain, local media reported.
• GitHub Repos Used to Distribute Malware as Free VPN — Threat actors have been observed using GitHub as a mechanism for staging stealer malware like Lumma by disguising it as ‘Free VPN for PC and Minecraft Skin Changer. “The analysis of the ‘Free-VPN-For-PC’ sample revealed that, behind its seemingly legitimate facade, it functions as a sophisticated malware dropper designed to implant the Lumma Stealer,” CYFIRMA said. “Disguised as a helpful tool, the dropper uses multiple layers of obfuscation, in-memory execution, and process injection to evade detection. The same malware was also repackaged under the name ‘Minecraft Skin,’ indicating a broader social engineering tactic targeting different user interests.”
• NFC-Enabled Fraud Targets Philippines’ Financial Sector — Chinese mobile malware syndicates that rely on NFC relay attacks have now spread to the Philippines, Resecurity revealed. “Major underground shops managed by Chinese cybercriminals list the Philippines as one of the most impacted areas, based on the volume of compromised credit cards (CCs),” the company said. Some of the other top regions targeted by Chinese cybercriminals include Australia, Taiwan, Malaysia, New Zealand, Singapore, Thailand, Hong Kong, Korea, and Indonesia. These groups, active on Telegram, enable fraudsters to acquire compromised cards and also check whether they are valid or not, using micro-charges performed via fraudulent merchants set up by Chinese cybercriminals. Attackers can then use tools like Z-NFC, X-NFC, SuperCard X, Track2NFC to clone stolen card data and perform unauthorized transactions using NFC-enabled devices.
• GitPhish Tool to Automate GitHub Device Code Phishing — Cybersecurity researchers have demonstrated a novel initial access vector that leverages the OAuth 2.0 Device Authorization Grant flow to compromise an organization’s GitHub repositories and software supply chain. Called Device Code Phishing, the technique employs social engineering ploys to trick targets into entering an eight-digit device code by clicking on an attacker-provided link, potentially leading to complete compromise of organizational GitHub repositories and software supply chains. It’s worth noting that device code phishing has been utilized by suspected Russian threat actors to gain access to Microsoft accounts. “We designed GitPhish explicitly for security teams looking to conduct assessments and build detection capabilities around Device Code Phishing in GitHub,” Praetorian said. “Red teamers can simulate realistic attack scenarios to test organizational resilience, while detection engineers can validate their ability to identify suspicious OAuth flows, unusual GitHub authentication patterns, and potential social engineering attempts.”
• Malicious Browser Extensions Galore — A set of 18 malicious extensions with 2.3 million downloads in Google’s Chrome Web Store and Microsoft Edge Addons have been found to incorporate features to track users’ site visits, steal browser activity, and redirect to potentially unsafe sites. These add-ons pose as productivity and entertainment tools across diverse categories, including color pickers, emoji keyboards, weather forecasts, video speed controllers, VPN proxies for Discord and TikTok, dark themes, volume boosters and YouTube unblockers. While they offer the advertised functionality, they provide the perfect cover to conceal their browser surveillance and hijacking capabilities. The activity has been codenamed RedDirection by Koi Security. What makes the campaign concerning is that the extensions started off as benign tools, with the malicious code introduced at a later time via updates, in some cases after years. Last month, LayerX revealed that it had identified a network of malicious “sleeper agent” extensions that are likely being set up as a stepping stone for future activity. These extensions were identified as being installed nearly 1.5 million times. One of the extensions that’s common to both these clusters is “Volume Max — Ultimate Sound Booster” (extension ID: mgbhdehiapbjamfgekfpebmhmnmcmemg). The disclosure coincides with another campaign uncovered by Secure Annex dubbed Mellow Drama, which has transformed hundreds of extensions incorporating a Mellowtel library into a distributed web scraping network. The extensions have been collectively installed nearly 1 million times. “We discovered a new monetization library developed by Mellowtel that pays extension developers in exchange for the ‘unused bandwidth’ of users who have an extension installed,” John Tuckner said. The library has been traced back to an individual named Arslan Ali, who is also the founder of a company called Olostep that claims to offer the “world’s Most Reliable and Cost-effective Web Scraping API.” It’s believed that scraping requests from Olostep are distributed to any of the active extensions that are running the Mellowtel library. Mellowtel has since responded, stating it does not collect or sell users’ personal data. “Instead of collecting users’ data, tracking them across the web, and showing them ads non-stop, we are building a monetization engine for developers based on bandwidth/resource sharing,” Ali said.

🎥 Cybersecurity Webinars

• Stop ‘Pip Install and Pray’: How to Secure Your Python Supply Chain in 2025 – Repojacking, typosquatting, and poisoned containers are turning trusted tools into attack vectors. Whether you’re managing infrastructure or writing code, securing your Python environment is no longer optional. Learn how to take control before attackers do.
• From Login Fatigue to AI Fatigue: Securing Identity in 2025 – AI is streamlining logins—but it’s also raising alarm bells. Customers are growing wary of how their data is used, and trust is becoming harder to earn. This webinar reveals how leading brands are rebuilding digital trust while staying secure and user-friendly.
• From Copilots to Attack Bots: Securing the AI Identity Layer – As AI copilots and agents go mainstream, attackers are using the same tools to bypass logins, impersonate users, and exploit APIs. In this webinar, Okta reveals how to outpace AI threats by making identity your first—and last—line of defense.

🔧 Cybersecurity Tools

• BitChat – It is a tool that lets you chat without the internet, servers, or even phone numbers—just Bluetooth. It builds a local mesh network between nearby devices, enabling fully offline communication. Public group chats are secure and ready to use. Private messages and channels are still under development and haven’t been externally reviewed, so they’re not recommended for sensitive conversations just yet.
• GitPhish – It is a tool for testing GitHub’s device login flow in a security research setting. It helps stimulate phishing-style attacks by creating fake login pages, capturing tokens, and tracking activity. Built for ethical testing, it includes a dashboard, automated deployments, and logging—all meant for use in safe, authorized environments only.

Disclaimer: These newly released tools are for educational use only and haven’t been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.

🔒 Tip of the Week

Map Known Vulnerabilities Automatically Across Your Stack — Manually checking for CVEs is slow, incomplete, and easy to get wrong. Instead, use automated tools that correlate software versions with known vulnerabilities across your entire environment—both internal and internet-facing.

Start with Nmap and tools like CVEScannerV2 or Vulners NSE to scan live services for exposed software versions and match them to CVE databases. For deeper insights:

• Use tools like Nuclei (customizable vulnerability templates), Trivy (container + system CVEs), and Grype (SBOM-based scanning).
• Monitor third-party components with OSV-Scanner or Dependency-Track if you’re building software.
• Set up scheduled scans and use tools that integrate with ticketing systems to ensure teams actually act on the findings.

Finally, filter out noise—not every CVE is worth patching. Focus on CVEs with public exploits, high CVSS scores, and exposure to users or attackers.

Pro tip: Always validate findings with real-world exploitability, not just version matches.

Conclusion

What stands out this week isn’t just the scale of incidents—it’s how familiar tools, platforms, and even browser extensions are being quietly turned against us. From red teaming software reappearing as malware loaders to code libraries enabling stealth attacks, the line between legitimate use and exploitation keeps getting harder to see. When trusted environments become part of the attack chain, security teams must look beyond patching and start questioning assumptions about what’s safe by default.

Staying ahead means paying just as much attention to what’s already inside the gates as what’s trying to break in.

Jul 14, 2025Ravie LakshmananCybercrime / Law Enforcement

India’s Central Bureau of Investigation (CBI) has announced that it has taken steps to dismantle what it said was a transnational cybercrime syndicate that carried out “sophisticated” tech support scams targeting citizens of Australia and the United Kingdom.

The fraudulent scheme is estimated to have led to losses worth more than £390,000 ($525,000) in the United Kingdom alone.

The law enforcement effort, which was carried out on July 7, 2025, as part of Operation Chakra V, involved searches at three locations in Noida, one of which was a fully functional fraudulent call center operating from the Noida Special Economic Zone.

Evidence gathered by the CBI revealed that the call center, named FirstIdea, made use of advanced calling infrastructure and malicious scripts to facilitate cross-border anonymity and victim targeting at scale. A total of two arrests have been made, including a key operative partner of FirstIdea.

“The operation was meticulously timed with the time zones of the victims, resulting in the detection of live scam calls in progress during the raids,” the CBI said in a press statement.

The syndicate, the agency added, masqueraded as technical support staff of reputed multinational companies, including Microsoft with an intent to cheat foreign nationals by falsely claiming that their devices were compromised and extort money from them to address non-existent technical problems.

The U.K. National Crime Agency (NCA) said the arrest and disruption was the result of 18 months of “groundbreaking collaboration” between CBI, NCA, the U.S. Federal Bureau of Investigation (FBI), and Microsoft to identify the organized crime group and target the IT infrastructure used.

More than 100 people in the United Kingdom are said to have fallen prey to the tech support scam, which involved the threat actors using spoofed phone numbers and Voice Over Internet Protocol (VoIP) to route calls through multiple servers in several countries.

“More than 100 U.K. victims had been contacted by a group offering to fix their computers for a fee, following a screen pop up that suggested their device was infected or had been hacked,” the NCA noted. “In reality, the fraudsters were posing as employees of Microsoft, offering software solutions to an attack that had never taken place.”

The development comes as Nikkei Asia revealed that the number of scam centers used to pull off crypto scams in eastern Myanmar is continuing to expand at a rapid pace despite a crackdown earlier this February, with at least 16 suspected scam sites being documented and construction ongoing at eight of them.

Jul 14, 2025Ravie LakshmananMobile Security / Vulnerability

Cybersecurity researchers have discovered a new hacking technique that exploits weaknesses in the eSIM technology used in modern smartphones, exposing users to severe risks.

The issues impact the Kigen eUICC card. According to the Irish company’s website, more than two billion SIMs in IoT devices have been enabled as of December 2020.

The findings come from Security Explorations, a research lab of AG Security Research company. Kigen awarded the company a $30,000 bounty for their report.

An eSIM, or embedded SIM, is a digital SIM card that’s embedded directly into a device as software installed onto an Embedded Universal Integrated Circuit Card (eUICC) chip.

eSIMs allow users to activate a cellular plan from a carrier without the need for a physical SIM card. eUICC software offers the ability to change operator profiles, remote provisioning, and management of SIM profiles.

“The eUICC card makes it possible to install the so-called eSIM profiles into the target chip,” Security Explorations said. “eSIM profiles are software representations of mobile subscriptions.”

According to an advisory released by Kigen, the vulnerability is rooted in the GSMA TS.48 Generic Test Profile, versions 6.0 and earlier, which is said to be used in eSIM products for radio compliance testing.

Specifically, the shortcoming allows for the installation of non-verified, and potentially malicious applets. GSMA TS.48 v7.0, released last month, mitigates the problem by restricting the use of the test profile. All other versions of the TS.48 specification have been deprecated.

“Successful exploitation requires a combination of specific conditions. An attacker must first gain physical access to a target eUICC and use publicly known keys,” Kigen said. “This enables the attacker to install a malicious JavaCard applet.”

Furthermore, the vulnerability could facilitate the extraction of the Kigen eUICC identity certificate, thereby making it possible to download arbitrary profiles from mobile network operators (MNOs) in cleartext, access MNO secrets, and tamper with profiles and put them into an arbitrary eUICC without being flagged by MNO.

Security Explorations said the findings build upon its own prior research from 2019, which found multiple security vulnerabilities in Oracle Java Card that could pave the way for the deployment of a persistent backdoor in the card. One of the flaws also impacted Gemalto SIM, which relies on the Java Card technology.

These security defects can be exploited to “break memory safety of the underlying Java Card VM” and gain full access to the card’s memory, break the applet firewall, and potentially even achieve native code execution.

However, Oracle downplayed the potential impact and indicated that the “security concerns” did not affect their production of Java Card VM. Security Explorations said these “concerns” have now been proven to be “real bugs.”

The attacks might sound prohibitive to execute, but, to the contrary, they are well within the reach of capable nation-state groups. They could allow the attackers to compromise an eSIM card and deploy a stealthy backdoor, effectively intercepting all communications.

“The downloaded profile can be potentially modified in such a way, so that the operator loses control over the profile (no ability for remote control / no ability to disable/invalidate it, etc.), the operator can be provided with a completely false view of the profile state or all of its activity can be subject to monitoring,” the company added.

“In our opinion, the ability for a single broken eUICC / single eUICC GSMA cert theft to peek into (download in plaintext) eSIMs of arbitrary MNO constitutes a significant eSIM architecture weak point.”

Jul 12, 2025Ravie LakshmananAI Security / Vulnerability

NVIDIA is urging customers to enable System-level Error Correction Codes (ECC) as a defense against a variant of a RowHammer attack demonstrated against its graphics processing units (GPUs).

“Risk of successful exploitation from RowHammer attacks varies based on DRAM device, platform, design specification, and system settings,” the GPU maker said in an advisory released this week.

Dubbed GPUHammer, the attacks mark the first-ever RowHammer exploit demonstrated against NVIDIA’s GPUs (e.g., NVIDIA A6000 GPU with GDDR6 Memory), causing malicious GPU users to tamper with other users’ data by triggering bit flips in GPU memory.

The most concerning consequence of this behavior, University of Toronto researchers found, is the degradation of an artificial intelligence (AI) model’s accuracy from 80% to less than 1%.

RowHammer is to modern DRAMs just like how Spectre and Meltdown are to contemporary CPUs. While both are hardware-level security vulnerabilities, RowHammer targets the physical behavior of DRAM memory, whereas Spectre exploits speculative execution in CPUs.

RowHammer causes bit flips in nearby memory cells due to electrical interference in DRAM stemming from repeated memory access, while Spectre and Meltdown allow attackers to obtain privileged information from memory via a side-channel attack, potentially leaking sensitive data.

In 2022, academics from the University of Michigan and Georgia Tech described a technique called SpecHammer that combines RowHammer and Spectre to launch speculative attacks. The approach essentially entails triggering a Spectre v1 attack by using Rowhammer bit-flips to insert malicious values into victim gadgets.

GPUHammer is the latest variant of RowHammer, but one that’s capable of inducing bit flips in NVIDIA GPUs despite the presence of mitigations like target refresh rate (TRR).

In a proof-of-concept developed by the researchers, using a single-bit flip to tamper with a victim’s ImageNet deep neural network (DNN) models can degrade model accuracy from 80% to 0.1%.

Exploits like GPUHammer threaten the integrity of AI models, which are increasingly reliant on GPUs to perform parallel processing and carry out computationally demanding tasks, not to mention open up a new attack surface for cloud platforms.

To mitigate the risk posed by GPUHammer, it’s advised to enable ECC through “nvidia-smi -e 1.” Newer NVIDIA GPUs like H100 or RTX 5090 are not affected due to them featuring on-die ECC, which helps detect and correct errors arising due to voltage fluctuations associated with smaller, denser memory chips.

“Enabling Error Correction Codes (ECC) can mitigate this risk, but ECC can introduce up to a 10% slowdown for [machine learning] inference workloads on an A6000 GPU,” Chris (Shaopeng) Lin, Joyce Qu, and Gururaj Saileshwar, the lead authors of the study, said, adding it also reduces memory capacity by 6.25%.

The disclosure comes as researchers from NTT Social Informatics Laboratories and CentraleSupelec presented CrowHammer, a type of RowHammer attack that enables a key recovery attack against the FALCON (FIPS 206) post-quantum signature scheme, which has been selected by NIST for standardization.

“Using RowHammer, we target Falcon’s RCDT [reverse cumulative distribution table] to trigger a very small number of targeted bit flips, and prove that the resulting distribution is sufficiently skewed to perform a key recovery attack,” the study said.

“We show that a single targeted bit flip suffices to fully recover the signing key, given a few hundred million signatures, with more bit flips enabling key recovery with fewer signatures.”

Cybersecurity researchers have discovered a serious security issue that allows leaked Laravel APP_KEYs to be weaponized to gain remote code execution capabilities on hundreds of applications.

“Laravel’s APP_KEY, essential for encrypting sensitive data, is often leaked publicly (e.g., on GitHub),” GitGuardian said. “If attackers get access to this key, they can exploit a deserialization flaw to execute arbitrary code on the server – putting data and infrastructure at risk.”

The company, in collaboration with Synacktiv, said it was able to extract more than 260,000 APP_KEYs from GitHub from 2018 to May 30, 2025, identifying over 600 vulnerable Laravel applications in the process. GitGuardian said it observed over 10,000 unique APP_KEYs across GitHub, of which 400 APP_KEYs were validated as functional.

APP_KEY is a random 32-byte encryption key that’s generated during the installation of Laravel. Stored in the .env file of the application, it’s used to encrypt and decrypt data, generate secure, random strings, sign and verify data, and create unique authentication tokens, making a crucial security component.

GitGuardian noted that Laravel’s current implementation of decrypt() function introduces a security issue wherein it automatically deserializes decrypted data, thereby opening the door for possible remote code execution.

“Specifically in Laravel applications, if attackers obtain the APP_KEY and can invoke the decrypt() function with a maliciously crafted payload, they can achieve remote code execution on the Laravel web server,” security researcher Guillaume Valadon said.

“This vulnerability was first documented with CVE-2018-15133, which affected Laravel versions prior to 5.6.30. However, this attack vector persists in newer Laravel versions when developers explicitly configure session serialization in cookies using the SESSION_DRIVER=cookie setting, as demonstrated by CVE-2024-55556.”

It’s worth noting that CVE-2018-15133 has been exploited in the wild by threat actors associated with the AndroxGh0st malware, after scanning the internet for Laravel applications with misconfigured .env files.

Further analysis has found that 63% of APP_KEY exposures originate from .env files (or their variants) that typically contain other valuable secrets, such as cloud storage tokens, database credentials, and secrets associated with e-commerce platforms, customer support tools, and artificial intelligence (AI) services.

More importantly, approximately 28,000 APP_KEY and APP_URL pairs have been concurrently exposed on GitHub. Of these, approximately 10% have been found to be valid, rendering 120 applications vulnerable to trivial remote code execution attacks.

Given that the APP_URL configuration specifies the application’s base URL, exposing both APP_URL and APP_KEY creates a potent attack vector that threat actors can leverage to directly access the app, retrieve session cookies, and attempt to decrypt them using the exposed key.

Simply scrubbing secrets from repositories isn’t enough—especially when they’ve already been cloned or cached by third-party tools. What developers need is a clear rotation path, backed by monitoring that flags every future reappearance of sensitive strings across CI logs, image builds, and container layers.

“Developers should never simply delete exposed APP_KEYs from repositories without proper rotation,” GitGuardian said. “The proper response involves: immediately rotating the compromised APP_KEY, updating all production systems with the new key, and implementing continuous secret monitoring to prevent future exposures.”

These types of incidents also align with a broader class of PHP deserialization vulnerabilities, where tools like phpggc help attackers craft gadget chains that trigger unintended behaviors during object loading. When used in Laravel environments with leaked keys, such gadgets can achieve full RCE without needing to breach the app’s logic or routes.

The disclosure comes after GitGuardian revealed that it discovered a “staggering 100,000 valid secrets” in Docker images publicly accessible on the DockerHub registry. This includes secrets associated with Amazon Web Services (AWS), Google Cloud, and GitHub tokens.

A new Binarly analysis of over 80,000 unique Docker images spanning 54 organizations and 3,539 repositories has likewise uncovered 644 unique secrets that encompassed generic credentials, JSON Web Tokens, HTTP Basic Authorization header, Google Cloud API key, AWS access tokens, and CircleCI API tokens, among others.

“Secrets appear in a wide variety of file types, including source code, configuration files, and even large binary files, areas where many existing scanners fall short,” the company said. “Moreover, the presence of entire Git repositories inside container images represents a serious and often overlooked security risk.”

But that’s not all. The rapid adoption of Model Context Protocol (MCP) to enable agentic workflows in enterprise-driven AI applications has opened up brand new attack vectors – a concerning one being the leakage of secrets from MCP servers published to GitHub repositories.

Specifically, GitGuardian found that 202 of them leaked at least one secret, accounting for 5.2% of all the repositories – a number that the company said is “slightly higher than the 4.6% occurrence rate observed on all public repositories,” making MCP servers a “new source of secret leaks.”

While this research focuses on Laravel, the same root problem—unguarded secrets in public repositories—applies to other stacks. Organizations should explore centralized secret scanning, Laravel-specific hardening guides, and secure-by-design patterns for managing .env files and container secrets across frameworks.

Jul 05, 2025Ravie LakshmananNational Security / Privacy

Taiwan’s National Security Bureau (NSB) has warned that China-developed applications like RedNote (aka Xiaohongshu), Weibo, Douyin, WeChat, and Baidu Cloud pose security risks due to excessive data collection and data transfer to China.

The alert comes following an inspection of these apps carried out in coordination with the Ministry of Justice Investigation Bureau (MJIB) and the Criminal Investigation Bureau (CIB) under the National Police Agency.

“The results indicate the existence of security issues, including excessive data collection and privacy infringement,” the NSB said. “The public is advised to exercise caution when choosing mobile apps.”

The agency said it evaluated the apps against 15 indicators spanning five broad categories: Personal data collection, excessive permission usage, data transmission and sharing, system information extraction, and biometric data access.

According to the analysis, RedNote violated all 15 indicators, followed by Weibo and Douyin that were found to breach 13 indicators. WeChat and Baidu Cloud violated 10 and 9 of the 15 indicators, respectively.

These issues encompassed extensive collection of personal data, including facial recognition information, screenshots, clipboard contents, contact lists, and location information. All the apps have also been flagged for harvesting the list of installed apps and device parameters.

“With regard to data transmission and sharing, the said five apps were found to send packets back to servers located in China,” the NSB said. “This type of transmission has raised serious concerns over the potential misuse of personal data by third-parties.”

NSB also pointed out that companies operating in China are obligated to turn over user data under domestic laws for national security, public security, and intelligence purposes, and that using these apps can breach the privacy of Taiwanese users.

The development comes as countries like India have enacted bans against Chinese-made apps, citing security concerns. In November 2024, Canada ordered TikTok to dissolve its operations in the country, although its fate in the U.S. still remains in limbo, as the ban – which was supposed to take effect in January 2025 – has been extended for a third time.

Last week, one of Germany’s data protection authorities urged Apple and Google to remove Chinese artificial intelligence (AI) chatbot DeepSeek from their respective app stores due to unlawful user data transfers to China. Similar restrictions have also been imposed by other nations.

“The NSB strongly advises the public to remain vigilant regarding mobile device security and avoid downloading China-made apps that pose cybersecurity risks, so as to protect personal data privacy and corporate business secrets,” it added.

(The story was updated after publication to emphasize that the NSB referred to Douyin, TikTok’s China-focused app, and not TikTok itself.)

Jul 11, 2025Ravie LakshmananUnited States

Fortinet has released fixes for a critical security flaw impacting FortiWeb that could enable an unauthenticated attacker to run arbitrary database commands on susceptible instances.

Tracked as CVE-2025-25257, the vulnerability carries a CVSS score of 9.6 out of a maximum of 10.0.

“An improper neutralization of special elements used in an SQL command (‘SQL Injection’) vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests,” Fortinet said in an advisory released this week.

The shortcoming impacts the following versions –

• FortiWeb 7.6.0 through 7.6.3 (Upgrade to 7.6.4 or above)
• FortiWeb 7.4.0 through 7.4.7 (Upgrade to 7.4.8 or above)
• FortiWeb 7.2.0 through 7.2.10 (Upgrade to 7.2.11 or above)
• FortiWeb 7.0.0 through 7.0.10 (Upgrade to 7.0.11 or above)

Kentaro Kawane from GMO Cybersecurity, who was recently credited with reporting a set of critical flaws in Cisco Identity Services and ISE Passive Identity Connector (CVE-2025-20286, CVE-2025-20281, and CVE-2025-20282), has acknowledged for discovering the issue.

In an analysis published today, watchTowr Labs said the problem is rooted in a function called “get_fabric_user_by_token” that’s associated with the Fabric Connector component, which acts as a bridge between FortiWeb and other Fortinet products.

The function, in turn, is invoked from another function named “fabric_access_check,” that’s called from three different API endpoints: “/api/fabric/device/status,” “/api/v[0-9]/fabric/widget/[a-z]+,” and “/api/v[0-9]/fabric/widget.”

The issue is that attacker-controlled input – passed via a Bearer token Authorization header in a specially crafted HTTP request – is passed directly to an SQL database query without adequate sanitization to make sure that it’s not harmful and does not include any malicious code.

The attack can be extended further by embedding a SELECT … INTO OUTFILE statement to write the results of command execution to a file in the underlying operating system by taking advantage of the fact that the query is run as the “mysql” user.

“The new version of the function replaces the previous format-string query with prepared statements – a reasonable attempt to prevent straightforward SQL injection,” security researcher Sina Kheirkhah said.

As temporary workarounds until the necessary patches can be applied, users are recommended to disable HTTP/HTTPS administrative interface.

With flaws in Fortinet devices having been exploited by threat actors in the past, it’s essential that users move quickly to update to the latest version to mitigate potential risks.

Cybersecurity researchers have discovered a set of four security flaws in OpenSynergy’s BlueSDK Bluetooth stack that, if successfully exploited, could allow remote code execution on millions of transport vehicles from different vendors.

The vulnerabilities, dubbed PerfektBlue, can be fashioned together as an exploit chain to run arbitrary code on cars from at least three major automakers, Mercedes-Benz, Volkswagen, and Skoda, according to PCA Cyber Security (formerly PCAutomotive). Outside of these three, a fourth unnamed original equipment manufacturer (OEM) has been confirmed to be affected as well.

“PerfektBlue exploitation attack is a set of critical memory corruption and logical vulnerabilities found in OpenSynergy BlueSDK Bluetooth stack that can be chained together to obtain Remote Code Execution (RCE),” the cybersecurity company said.

While infotainment systems are often seen as isolated from critical vehicle controls, in practice, this separation depends heavily on how each automaker designs internal network segmentation. In some cases, weak isolation allows attackers to use IVI access as a springboard into more sensitive zones—especially if the system lacks gateway-level enforcement or secure communication protocols.

The only requirement to pull off the attack is that the bad actor needs to be within range and be able to pair their setup with the target vehicle’s infotainment system over Bluetooth. It essentially amounts to a one-click attack to trigger over-the-air exploitation.

“However, this limitation is implementation-specific due to the framework nature of BlueSDK,” PCA Cyber Security added. “Thus, the pairing process might look different between various devices: limited/unlimited number of pairing requests, presence/absence of user interaction, or pairing might be disabled completely.”

The list of identified vulnerabilities is as follows –

• CVE-2024-45434 (CVSS score: 8.0) – Use-After-Free in AVRCP service
• CVE-2024-45431 (CVSS score: 3.5) – Improper validation of an L2CAP channel’s remote CID
• CVE-2024-45433 (CVSS score: 5.7) – Incorrect function termination in RFCOMM
• CVE-2024-45432 (CVSS score: 5.7) – Function call with incorrect parameter in RFCOMM

Successfully obtaining code execution on the In-Vehicle Infotainment (IVI) system enables an attacker to track GPS coordinates, record audio, access contact lists, and even perform lateral movement to other systems and potentially take control of critical software functions of the car, such as the engine.

Following responsible disclosure in May 2024, patches were rolled out in September 2024.

“PerfektBlue allows an attacker to achieve remote code execution on a vulnerable device,” PCA Cyber Security said. “Consider it as an entrypoint to the targeted system which is critical. Speaking about vehicles, it’s an IVI system. Further lateral movement within a vehicle depends on its architecture and might involve additional vulnerabilities.”

Earlier this April, the company presented a series of vulnerabilities that could be exploited to remotely break into a Nissan Leaf electric vehicle and take control of critical functions. The findings were presented at the Black Hat Asia conference held in Singapore.

“Our approach began by exploiting weaknesses in Bluetooth to infiltrate the internal network, followed by bypassing the secure boot process to escalate access,” it said.

“Establishing a command-and-control (C2) channel over DNS allowed us to maintain a covert, persistent link with the vehicle, enabling full remote control. By compromising an independent communication CPU, we could interface directly with the CAN bus, which governs critical body elements, including mirrors, wipers, door locks, and even the steering.”

CAN, short for Controller Area Network, is a communication protocol mainly used in vehicles and industrial systems to facilitate communication between multiple electronic control units (ECUs). Should an attacker with physical access to the car be able to tap into it, the scenario opens the door for injection attacks and impersonation of trusted devices.

“One notorious example involves a small electronic device hidden inside an innocuous object (like a portable speaker),” the Hungarian company said. “Thieves covertly plug this device into an exposed CAN wiring junction on the car.”

“Once connected to the car’s CAN bus, the rogue device mimics the messages of an authorized ECU. It floods the bus with a burst of CAN messages declaring ‘a valid key is present’ or instructing specific actions like unlocking the doors.”

In a report published late last month, Pen Test Partners revealed it turned a 2016 Renault Clio into a Mario Kart controller by intercepting CAN bus data to gain control of the car and mapping its steering, brake, and throttle signals to a Python-based game controller.