@itpro.com
//
A supply chain attack has targeted the widely used GitHub Action 'tj-actions/changed-files-action,' leading to the leakage of secrets from numerous repositories. This incident, first reported by Step Security, involved the compromise of the action, allowing attackers to inject malicious code into CI workflows. This code was designed to dump CI runner memory, potentially exposing sensitive information like API keys and passwords in public repository workflow logs. The compromised 'tj-actions/changed-files' repository and the GitHub gist hosting the malicious script have since been removed to mitigate further exploitation.
This vulnerability, assigned CVE-2025-30066, affected all versions of 'tj-actions/changed-files' as of March 15, 2025. The malicious code was introduced through a spoofed commit from the Renovate bot, enabling unauthorized access and modification of the action's code. While no external exfiltration of secrets to an attacker-controlled server has been observed, the exposure within affected repositories remains a significant risk. Impacted organizations are urged to take immediate action to mitigate the risk of credential theft and CI pipeline compromise, particularly in public repositories where secrets in workflow logs are publicly accessible.
Recommended read:
References :
- Rescana: GitHub Actions Security Breach: tj-actions/changed-files-action Supply Chain Vulnerability Analysis
- Wiz Blog | RSS feed: GitHub Action tj-actions/changed-files supply chain attack: everything you need to know
- Open Source Security: tj-action/changed-files GitHub action was compromised
- Dan Goodin: Is anyone following this breach involving the j-actions/changed-files GitHub Action? Seems pretty major, but I'm still trying to figure out exactly what's going on, who's affected, and what people (and how many) are affected. If you can help me get up to speed please DM me on Signal -- DanArs.82, or on Mastodon
- securityonline.info: Popular GitHub Action “tj-actions/changed-files� Compromised (CVE-2025-30066)
- Risky Business Media: Risky Bulletin: GitHub supply chain attack leaks secrets
- www.itpro.com: Organizations urged to act fast after GitHub Action supply chain attack
- : Tj-actions Supply Chain Attack Exposes 23,000 Organizations
- Latio Pulse: Understanding and Re-Creating the tj-actions/changed-files Supply Chain Attack discusses the tj-actions/changed-files supply chain attack.
- The Register - Security: GitHub supply chain attack spills secrets from 23,000 projects
- BleepingComputer: Supply chain attack on popular GitHub Action exposes CI/CD secrets
- www.cybersecuritydive.com: Supply chain attack against GitHub Action triggers massive exposure of secrets
- Metacurity: A GitHub Action used in 23,000 repos was compromised in a supply chain attack
- gbhackers.com: Supply Chain Attack Targets 23,000 GitHub Repositories
- hackread.com: Malicious Code Hits ‘tj-actions/changed-files’ in 23,000 GitHub Repos
- www.infoworld.com: Thousands of open source projects at risk from hack of GitHub Actions tool
- bsky.app: Bsky Social - A supply chain attack on the widely used 'tj-actions/changed-files' GitHub Action, used by 23,000 repositories, potentially allowed threat actors to steal CI/CD secrets from GitHub Actions build logs.
- Wiz Blog | RSS feed: New GitHub Action supply chain attack: reviewdog/action-setup
- unit42.paloaltonetworks.com: Threat Assessment: GitHub Actions Supply Chain Attack: The Compromise of tj-actions/changed-files
- Legit Security Blog: Github Actions tj-actions/changed-files Attack
- Security Risk Advisors: TB2025318 – GitHub Action “tj-actions/changed-files� Compromised to Leak Secrets for Repositories Using the CI/CD Workflow
- securityaffairs.com: GitHub Action tj-actions/changed-files was compromised in supply chain attack
- bsky.app: A cascading supply chain attack that began with the compromise of the "reviewdog/action-setup@v1" GitHub Action is believed to have led to the recent breach of "tj-actions/changed-files" that leaked CI/CD secrets.
- blog.gitguardian.com: Compromised tj-actions/changed-files GitHub Action: A look at publicly leaked secrets
- Kaspersky official blog: Supply chain attack via GitHub Action | Kaspersky official blog
- Risky Business Media: Risky Business #784 -- GitHub supply chain attack steals secrets from 23k projects
- thecyberexpress.com: CISA Warns of Exploited GitHub Action CVE-2025-30066 – Users Urged to Patch
- The DefendOps Diaries: Understanding the GitHub Action Supply Chain Attack
- Sam Bent: GitHub Action Vulnerability: Supply Chain Attack Exposes Limited Secrets, Raises Broader Concerns
- Schneier on Security: Critical GitHub Attack
- Aembit: GitHub Action tjactions/changed-files Supply Chain Breach Exposes NHI Risks in CI/CD
- www.cybersecurity-insiders.com: GitHub Supply Chain Attack Raises Awareness Across The Cybersecurity Community
- tl;dr sec: [tl;dr sec] #271 - Threat Modeling (+ AI), Backdoored GitHub Actions, Compromising a Threat Actor's Telegram
@cyberalerts.io
//
A critical vulnerability has been discovered in the widely-used Next.js framework, identified as CVE-2025-29927. This flaw allows attackers to bypass authorization checks within the framework's middleware system. Middleware is commonly used to enforce authentication, authorization, path rewriting, and security-related headers, making this vulnerability particularly severe. Vercel, the company behind Next.js, disclosed the issue on March 21st, 2025, highlighting its potential impact on services relying on vulnerable versions of the framework.
To mitigate the risk, developers using Next.js version 11 or higher are urged to update to the patched versions: 15.2.3, 14.2.25, 13.5.9, or 12.3.5. For those unable to immediately update, a temporary workaround involves blocking user requests with the 'x-middleware-subrequest' header. Some hosting platforms, like Vercel and Netlify, have already implemented this measure to protect their users. The vulnerability allows login screens to be bypassed without proper credentials, potentially compromising user data and sensitive information.
Recommended read:
References :
- securityonline.info: Urgent: Patch Your Next.js for Authorization Bypass (CVE-2025-29927)
- Open Source Security: Re: CVE-2025-29927: Authorization Bypass in Next.js Middleware
- isc.sans.edu: ISC SANS posting on the Next.js vulnerability
- bsky.app: It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.
- Lobsters: How to find Next.js on your network
- Strobes Security: When security vulnerabilities appear in popular frameworks, they can affect thousands of websites overnight. That’s exactly what’s happening with a newly discovered Next.js vulnerability, one of the most widely used...
- securityaffairs.com: Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks
- Open Source Security: CVE-2025-29927: Authorization Bypass in Next.js Middleware
- socradar.io: Next.js Middleware Vulnerability (CVE-2025-29927): What You Need to Know and How to Respond
- thehackernews.com: Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks
- securityboulevard.com: CVE-2025-29927 – Understanding the Next.js Middleware Vulnerability
- BleepingComputer: Critical flaw in Next.js lets hackers bypass authorization
- Help Net Security: Help Net Security reports on the critical Next.js authentication bypass vulnerability.
- cyberscoop.com: Researchers raise alarm about critical Next.js vulnerability
- Legit Security Blog: Next.js Vulnerability: What You Need to Know
- Resources-2: Discovered a critical vulnerability affecting Next.js middleware, tracked as CVE-2025-29927.
- The DefendOps Diaries: Understanding and mitigating CVE-2025-29927: a critical Next.js vulnerability
- Developer Tech News: Critical security flaw uncovered in Next.js framework
- nsfocusglobal.com: Next.js Middleware Permission Bypass Vulnerability (CVE-2025-29927)
- www.techradar.com: Critical security flaw in Next.js could spell big trouble for JavaScript users
- infosec.exchange: : Critical in NextJS (CVE-2025-29927) impacts all NextJS versions before 15.2.3, 14.2.25, 13.5.9, 12.3.5 allowing attackers to bypass authorisation checks. Great explanation and a Proof-of-Concept demonstration by @_JohnHammond 👇
- SOC Prime Blog: CVE-2025-29927 Next.js Middleware Authorization Bypass Vulnerability
- Kali Linux Tutorials: CVE-2025-29927 : Next.js Middleware Authorization Bypass – Technical Analysis
- DEVCLASS: Next.js team fixes vuln that allows authorization bypass when middleware is used, revises documentation recommending this method
- Rescana: Executive Summary The discovery of CVE-2025-29927 , a critical vulnerability in Next.js , has raised significant cybersecurity concerns...
- Stormshield: A critical authentication bypass vulnerability impacting the Next.js middleware has been reported. It has been assigned the reference CVE-2025-29927 and a CVSS 3.1 score of 9.1. It should be noted that proof of concept are publicly available about this CVE-2025-29927 vulnerability.
- Fastly Security Blog: CVE-2025-29927: Authorization Bypass in Next.js
- hackread.com: Researchers have uncovered a critical vulnerability (CVE-2025-29927) in Next.js middleware, allowing authorization bypass. Learn about the exploit and fixes.
Vasu Jakkal@Microsoft Security Blog
//
Microsoft has unveiled a significant expansion of its Security Copilot platform, integrating AI agents designed to automate security operations tasks and alleviate the workload on cybersecurity professionals. This move aims to address the increasing volume and complexity of cyberattacks, which are overwhelming security teams that rely on manual processes. The AI-powered agents will handle routine tasks, freeing up IT and security staff to tackle more complex issues and proactive security measures. Microsoft detected over 30 billion phishing emails targeting customers between January and December 2024 highlighting the urgent need for automated solutions.
The expansion includes eleven AI agents, six developed by Microsoft and five by security partners, set for preview in April 2025. Microsoft's agents include the Phishing Triage Agent in Microsoft Defender, Alert Triage Agents in Microsoft Purview, Conditional Access Optimization Agent in Microsoft Entra, Vulnerability Remediation Agent in Microsoft Intune, and Threat Intelligence Briefing Agent in Security Copilot. These agents are purpose-built for security, designed to learn from feedback, adapt to workflows, and operate securely within Microsoft’s Zero Trust framework, ensuring that security teams retain full control over their actions and responses.
Recommended read:
References :
- The Register - Software: AI agents swarm Microsoft Security Copilot
- Microsoft Security Blog: Microsoft unveils Microsoft Security Copilot agents and new protections for AI
- .NET Blog: Learn how the Xbox services team leveraged .NET Aspire to boost their team's productivity.
- Ken Yeung: Microsoft’s First CTO Says AI Is ‘Three to Five Miracles’ Away From Human-Level Intelligence
- SecureWorld News: Microsoft Expands Security Copilot with AI Agents
- www.zdnet.com: Microsoft's new AI agents aim to help security pros combat the latest threats
- www.itpro.com: Microsoft launches new security AI agents to help overworked cyber professionals
- www.techrepublic.com: After Detecting 30B Phishing Attempts, Microsoft Adds Even More AI to Its Security Copilot
- eSecurity Planet: esecurityplanet.com covers Fortifying Cybersecurity: Agentic Solutions by Microsoft and Partners
- Microsoft Security Blog: AI innovation requires AI security: Hear what’s new at Microsoft Secure
- www.csoonline.com: Microsoft has introduced a new set of AI agents for its Security Copilot platform, designed to automate key cybersecurity functions as organizations face increasingly complex and fast-moving digital threats.
- SiliconANGLE: Microsoft introduces AI agents for Security Copilot
- SiliconANGLE: Microsoft Corp. is enhancing the capabilities of its popular artificial intelligence-powered Copilot tool with the launch late today of its first “deep reasoning” agents, which can solve complex problems in the way a highly skilled professional might do.
- Ken Yeung: Microsoft is introducing a new way for developers to create smarter Copilots.
- Source Asia: Microsoft Security Copilot agents and more security innovations
- www.computerworld.com: Microsoft’s Newest AI Agents Can Detail How They Reason
Ojukwu Emmanuel@Tekedia
//
On February 21, 2025, the cryptocurrency exchange Bybit suffered a massive security breach resulting in the theft of approximately $1.46 billion in crypto assets. Investigations have pointed towards the Lazarus Group, a North Korean state-sponsored hacking collective, as the perpetrators behind the audacious heist. The FBI has officially accused the Lazarus Group of stealing $1.5 billion in Ethereum and has requested assistance in tracking down the stolen funds.
Bybit has declared war on the Lazarus Group following the incident and is offering a $140 million bounty for information leading to the recovery of the stolen cryptocurrency. CEO Ben Zhou has launched Lazarusbounty.com, a bounty site aiming for transparency on the Lazarus Group's money laundering activities. The attack involved exploiting vulnerabilities in a multisig wallet platform, Safe{Wallet}, by compromising a developer’s machine, enabling the transfer of over 400,000 ETH and stETH (worth over $1.5 billion) to an address under their control.
Recommended read:
References :
- The Register - Security: The FBI has officially accused North Korea's Lazarus Group of stealing $1.5 billion in Ethereum from crypto-exchange Bybit earlier this month, and asked for help tracking down the stolen funds.
- Secure Bulletin: The Lazarus Group, a notorious North Korean state-sponsored hacking collective, has once again demonstrated its sophistication and audacity with a staggering $1.5 billion cryptocurrency heist targeting Bybit, a major crypto exchange.
- SecureWorld News: On February 21, 2025, the cryptocurrency world was rocked by the largest crypto heist in history. Dubai-based exchange Bybit was targeted in a malware-driven attack that resulted in the theft of approximately $1.46 billion in crypto assets.
- Tekedia: Bybit, a leading crypto exchange, has declared war on “notorious� Lazarus group, a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. This is coming after the crypto exchange experienced a security breach resulting in the unauthorized transfer of over $1.4 billion in liquid-staked crypto assets.
- ChinaTechNews.com: North Korea was behind the theft of approximately $1.5bn in virtual assets from a cryptocurrency exchange, the FBI has said, in what is being described as the biggest heist in history.
- iHLS: Largest-Ever Crypto Heist steals $1.4 Billion
- techcrunch.com: The FBI said the North Korean government is ‘responsible’ for the hack at crypto exchange Bybit, which resulted in the theft of more than $1.4 billion in Ethereum cryptocurrency.
- PCMag UK security: The FBI is urging the cryptocurrency industry to freeze any transactions tied to the Bybit heist. The FBI has the $1.4 billion cryptocurrency at Bybit to North Korean state-sponsored hackers after security researchers reached the same conclusion.
- Talkback Resources: FBI Says North Korea Hacked Bybit as Details of $1.5B Heist Emerge [net] [mal]
- thehackernews.com: Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers
- PCMag UK security: FBI Blames North Korea for Massive $1.4 Billion Cryptocurrency Heist
- www.pcmag.com: FBI Blames North Korea for Massive $1.4 Billion Cryptocurrency Heist
- SecureWorld News: FBI Attributes Bybit Hack: FBI Attributes to North Korea, Urges Crypto Sector to Act
- Dan Goodin: InfoSec Exchange Post on the FBI attribution to the Lazarus group and Bybit hack
- bsky.app: Forensic investigators have discovered that North Korean Lazarus hackers stole $1.5 billion from Bybit after first breaching a Safe{Wallet} developer machine. The multisig wallet platform has also confirmed these findings in a statement issued today.
- Wallarm: Lab Wallarm discusses how Bybit’s Real-Time Blacklisting Is Thwarting a $1.5B Crypto Heist
- infosec.exchange: NEW: Hacked crypto exchange Bybit is offering $140 million in bounties to anyone who can help locate and freeze the stolen ethereum. Bybit also disclosed preliminary results of investigations, which reveal hackers breached a developer’s device at a wallet platform Safe Wallet.
- securityaffairs.com: FBI: North Korea-linked TraderTraitor is responsible for $1.5 Billion Bybit hack
- Cybercrime Magazine: Bybit Suffers Largest Crypto Hack In History
- www.cnbc.com: Details on the attack in a news article
- The Register - Security: Bybit declares war on North Korea's Lazarus crime-ring to regain $1.5B stolen from wallet
- Sergiu Gatlan: Forensic investigators have discovered that North Korean Lazarus hackers stole $1.5 billion from Bybit after first breaching a Safe{Wallet} developer machine. The multisig wallet platform has also confirmed these findings in a statement issued today.
- gbhackers.com: Researchers Uncover $1.4B in Sensitive Data Tied to ByBit Hack by Lazarus Group
- infosec.exchange: NEW: After security researchers and firms accused North Korea of the massive Bybit hack, the FBI follows suit. North Korean government hackers allegedly stoled more than $1.4 billion in Ethereum from the crypto exchange.
- www.cysecurity.news: Bybit Suffers Historic $1.5 Billion Crypto Hack, Lazarus Group Implicated
- infosec.exchange: Bybit, that major cryptocurrency exchange, has been hacked to the tune of $1.5 billion in digital assets stolen, in what’s estimated to be the largest crypto heist in history.
- BleepingComputer: Bybit, a major cryptocurrency exchange, has fallen victim to a massive cyberattack, with approximately $1.5 billion in cryptocurrency stolen. The breach is believed to be the largest single theft in crypto history.
- Taggart :donor:: Cryptocurrency exchange Bybit suffered a massive security breach, resulting in the loss of $1.5 billion in digital assets. The hack compromised the exchange's cold wallet and involved sophisticated techniques to steal the funds.
- www.cysecurity.news: CySecurity News report on the Bybit hack, its implications, and the potential Lazarus Group connection.
- : The 420 report on Bybit theft
- infosec.exchange: Details of the Bybit hack and Lazarus Group's involvement.
- Talkback Resources: Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers
- securityaffairs.com: The FBI confirmed that North Korea is responsible for the record-breaking cyber heist at the crypto exchange Bybit.
- Zack Whittaker: Grab some coffee — your weekly ~ this week in security ~ is out: • North Korea's record-breaking $1.4B crypto heist
- infosec.exchange: Infosec Exchange post about Bybit crypto heist.
- The Record: Experts from multiple blockchain security companies said that North Korean hackers were able to move all of the ETH coins stolen from Bybit to new addresses — the first step taken before the funds can be laundered further
- infosec.exchange: The (allegedly North Korean) hackers behind the Bybit crypto heist have already laundered all the stolen Ethereum, which was worth $1.4 billion.
- Metacurity: Lazarus Group hackers have laundered 100% of the $1.4 billion they stole from Bybit
Sergiu Gatlan@BleepingComputer
//
EncryptHub, a group linked to RansomHub, has been identified as the actor exploiting a zero-day vulnerability in Microsoft Management Console (MMC). Tracked as CVE-2025-26633, this flaw allows attackers to bypass security features and execute malicious code on vulnerable Windows systems. The vulnerability stems from improper input sanitization within MMC, a core administrative tool. Attackers are leveraging this flaw through email and web-based attacks, delivering malicious payloads to unsuspecting users, bypassing Windows file reputation protections.
The exploit, dubbed 'MSC EvilTwin', manipulates .msc files and the Multilingual User Interface Path (MUIPath) to execute malicious payloads, maintain persistence, and steal sensitive data. Specifically, attackers create two .msc files with the same name, a clean one and a malicious counterpart. When the legitimate file is run, MMC inadvertently picks the rogue file from a directory named "en-US" and executes it, unbeknownst to the user. This sophisticated technique allows EncryptHub to deploy various malware families, including Rhadamanthys and StealC, information stealers which pose a severe risk to affected organizations.
Recommended read:
References :
- The DefendOps Diaries: Understanding the CVE-2025-26633 Vulnerability in Microsoft Management Console
- www.trendmicro.com: Trend Research identified Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
- Cyber Security News: Hackers Exploit Windows MMC Zero-Day Vulnerability to Execute Malicious Code
- BleepingComputer: A threat actor known as EncryptHub has been linked to Windows zero-day attacks exploiting a Microsoft Management Console vulnerability patched this month.
- gbhackers.com: Windows MMC Framework Zero-Day Exploited to Execute Malicious Code
- www.scworld.com: Windows-targeted EncryptHub attacks involve MMC zero-day exploitation
- bsky.app: EncryptHub, an affiliate of RansomHub, was behind recent MMC zero-day patched this month by Microsoft
- The Hacker News: EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware
- Virus Bulletin: Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
- www.cybersecuritydive.com: A threat actor known as “EncryptHub” began exploiting the zero-day vulnerability before it was patched earlier this month.
- : Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console that attackers exploit to execute malicious code and exfiltrate data.
- www.trendmicro.com: Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.
Pierluigi Paganini@Security Affairs
//
Broadcom has issued security updates to address a high-severity authentication bypass vulnerability affecting VMware Tools for Windows. Tracked as CVE-2025-22230, the flaw stems from improper access control, potentially allowing a malicious actor with non-administrative privileges on a guest virtual machine to perform high-privilege operations. Discovered by Sergey Bliznyuk of Positive Technologies, the vulnerability impacts VMware Tools versions 11.x.x and 12.x.x.
Security experts are urging users to apply the updates promptly, as there are currently no known workarounds besides patching. The vulnerability has been assigned a CVSS score of 7.8 out of 10, highlighting its severity. It exclusively affects VMware Tools running on Windows operating systems, emphasizing the importance of immediate action for affected users.
Recommended read:
References :
- Security Affairs: Broadcom released security updates to address a high-severity authentication bypass vulnerability, tracked as CVE-2025-22230 (CVSS score 9.8), impacting VMware Tools for Windows.
- securityonline.info: VMware Tools for Windows Hit by CVE-2025-22230 Auth Bypass Flaw
- The DefendOps Diaries: Understanding the VMware Tools Authentication Bypass Vulnerability
- thehackernews.com: New Security Flaws Found in VMware Tools and CrushFTP — High Risk, No Workaround
- www.csoonline.com: VMware plugs a high-risk vulnerability affecting its Windows-based virtualization
- BleepingComputer: Broadcom Warns of Authentication Bypass in VMware Windows Tools
- www.techradar.com: Broadcom warns of worrying security flaws affecting VMware tools
- Security Risk Advisors: New VMware Tools vulnerability (CVE-2025-22230) allows non-admin Windows guest users to perform privileged operations.
- Security | TechRepublic: Update VMware Tools for Windows Now: High-Severity Flaw Lets Hackers Bypass Authentication
- securityaffairs.com: Broadcom addressed a high-severity authentication bypass vulnerability, tracked as CVE-2025-22230 (CVSS score 9.8), impacting VMware Tools for Windows.
Megan Crouse@eWEEK
//
Cloudflare has launched AI Labyrinth, a new tool designed to combat web scraping bots that steal website content for AI training. Instead of simply blocking these crawlers, AI Labyrinth lures them into a maze of AI-generated content. This approach aims to waste the bots' time and resources, providing a more effective defense than traditional blocking methods which can trigger attackers to adapt their tactics. The AI Labyrinth is available as a free, opt-in tool for all Cloudflare customers, even those on the free tier.
The system works by embedding hidden links within a protected website. When suspicious bot behavior is detected, such as ignoring robots.txt rules, the crawler is redirected to a series of AI-generated pages. This content is "real looking" and based on scientific facts, diverting the bot from the original website's content. Because no human would deliberately explore deep into a maze of AI-generated nonsense, anyone who does can be identified as a bot with high confidence. Cloudflare emphasizes that AI Labyrinth also functions as a honeypot, allowing them to identify new bot patterns and improve their overall bot detection capabilities, all while increasing the cost for unauthorized web scraping.
Recommended read:
References :
- The Register - Software: Cloudflare builds an AI to lead AI scraper bots into a horrible maze of junk content
- eWEEK: Crowdflare’s Free AI Labyrinth Distracts Crawlers That Could Steal Website Content to Feed AI
- The Verge: Cloudflare, one of the biggest network internet infrastructure companies in the world, has announced AI Labyrinth, a new tool to fight web-crawling bots that scrape sites for AI training data without permission. The company says in a blog post that when it detects “inappropriate bot behavior,� the free, opt-in tool lures crawlers down a path
- OODAloop: Trapping misbehaving bots in an AI Labyrinth
- THE DECODER: Instead of simply blocking unwanted AI crawlers, Cloudflare has introduced a new defense method that lures them into a maze of AI-generated content, designed to waste their time and resources.
- Digital Information World: Cloudflare’s Latest AI Labyrinth Feature Combats Unauthorized AI Data Scraping By Giving Bots Fake AI Content
- Ars OpenForum: Cloudflare turns AI against itself with endless maze of irrelevant facts
- Cyber Security News: Cloudflare Introduces AI Labyrinth to Thwart AI Crawlers and Malicious Bots
- poliverso.org: Cloudflare’s AI Labyrinth Wants Bad Bots To Get Endlessly Lost
- aboutdfir.com: Cloudflare builds an AI to lead AI scraper bots into a horrible maze of junk content Cloudflare has created a bot-busting AI to make life hell for AI crawlers.
Jeff Burt@DevOps.com
//
A malicious package imitating the popular BoltDB module has been discovered in the Go ecosystem. This package contains a backdoor that enables remote code execution, posing a significant security risk to developers using the compromised module. The malicious package, a typosquat of BoltDB, was discovered by researchers at Socket, an application security company.
This attack exploits the Go Module Mirror's caching mechanism, allowing the malware to persist undetected despite manual code reviews. After the malware was cached by the Go Module Mirror, the git tag was strategically altered on GitHub to remove traces of malicious code and hide it from manual review. To mitigate software supply-chain threats, Socket advises developers to verify package integrity before installation, analyze dependencies for anomalies, and use security tools that inspect installed code at a deeper level.
Recommended read:
References :
- ciso2ciso.com: Source: thehackernews.com – Author: . Cybersecurity researchers have called attention to a software supply chain attack targeting the Go ecosystem that involves a malicious package capable of granting the adversary remote access to infected systems.
- Lobsters: Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
- The Hacker News: Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access
- bsky.app: Socket Security has discovered a malicious Go module for the BoltDB database that contains a hidden backdoor. The module is cached in the Go Module Mirror, the first attack documented making it in the the Go Module Mirror despite manual code reviews. https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-for-persistence
- ciso2ciso.com: Malicious Go Package Exploits Module Mirror Caching for Persistent Remote Access
- fosstodon.org: Socket: Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence
- DevOps.com: Typosquat Supply Chain Attack Targets Go Developers
- securityonline.info: Socket researchers have discovered a malicious typosquatting package in the Go ecosystem that exploits the Go Module Proxy’s
- securityonline.info: Socket researchers have discovered a malicious typosquatting package in the Go ecosystem that exploits the Go Module Proxy’s The post appeared first on .
- www.infoworld.com: Malicious package found in the Go ecosystem
- ciso2ciso.com: Malicious package found in the Go ecosystem – Source: www.infoworld.com
- ciso2ciso.com: Source: www.infoworld.com – Author: The malicious package, a typosquat of the popular BoltDB module, is said to be among the first known exploits of the Go Module Mirror’s indefinite module caching.
- heise online English: Typosquatting in the Go ecosystem: Fake BoltDB package discovered A malicious package in the Go ecosystem imitates BoltDB and contains a backdoor. Attackers used the caching service to spread the malware unnoticed.
- www.heise.de: Typosquatting in the Go ecosystem: Fake BoltDB package discovered
gist.github.com via pushcx@Lobsters
//
A 15-year-old hacker has uncovered a significant security vulnerability related to Cloudflare's caching feature. This "zero-click deanonymization attack" can expose a user's precise location, within a 250-mile radius, without any interaction required from the user. The exploit impacts several popular platforms, including Signal and Discord, raising concerns for privacy among users. The hacker published a research paper warning about this undetectable exploit, targeted towards journalists, activists, and hackers, highlighting how attackers could send a malicious payload and reveal locations within seconds.
Multiple online cybercrime platforms including Cracked, Nulled, Sellix, and StarkRDP, have been seized by law enforcement in a large international operation. These sites, which facilitated the trading of stolen data, malware, and hacking tools, were used by over 10 million users. The operation involved authorities from multiple countries, and included arrests, property searches, and the confiscation of devices and funds. Europol reports that these platforms had generated over a million euros in illicit profits. The shutdown also targeted supporting services like financial processor Sellix and hosting service StarkRDP. Authorities indicate that these forums also offered AI-based tools to automate security vulnerability scans and enhance phishing attacks.
Recommended read:
References :
- Lobsters: Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platform
- The Hacker News: Authorities Seize Domains of Popular Hacking Forums in Major Cybercrime Crackdown
- blog.cloudflare.com: Cloudflare : Cloudflare released an outage postmortum for yesterday's incident in which multiple Cloudflare services were unavailable for almost a full hour.
- BleepingComputer: A routine attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired yesterday, triggering a widespread outage yesterday that brought down multiple services for nearly an hour.
- www.bleepingcomputer.com: A routine attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired yesterday, triggering a widespread outage yesterday that brought down multiple services for nearly an hour.
- BleepingComputer: A routine attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired yesterday, triggering a widespread outage yesterday that brought down multiple services for nearly an hour.
- cyb_detective: An attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired yesterday, triggering a widespread outage that brought down multiple services for nearly an hour.
- Anonymous ???????? :af:: An attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired yesterday, triggering a widespread outage that brought down multiple services for nearly an hour.
- : Cloudflare : Cloudflare released an outage postmortum for yesterday's incident in which multiple Cloudflare services were unavailable for almost a full hour. This caused all operations against R2 object storage to fail for the duration of the incident, and caused a number of other Cloudflare services that depend on R2 to fail as well.
- bsky.app: A routine attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired yesterday, triggering a widespread outage yesterday that brought down multiple services for nearly an hour.
- BleepingComputer: A routine attempt to block a phishing URL in Cloudflare's R2 object storage platform backfired yesterday, triggering a widespread outage that brought down multiple services for nearly an hour.
- : Cloudflare released an outage postmortum for yesterday's incident in which multiple Cloudflare services were unavailable for almost a full hour.
Michael Nuñez@AI News | VentureBeat
//
AI security startup Hakimo has secured $10.5 million in Series A funding to expand its autonomous security monitoring platform. The funding round was led by Vertex Ventures and Zigg Capital, with participation from RXR Arden Digital Ventures, Defy.vc, and Gokul Rajaram. This brings the company’s total funding to $20.5 million. Hakimo's platform addresses the challenges of rising crime rates, understaffed security teams, and overwhelming false alarms in traditional security systems.
The company’s flagship product, AI Operator, monitors existing security systems, detects threats in real-time, and executes response protocols with minimal human intervention. Hakimo's AI Operator utilizes computer vision and generative AI to detect any anomaly or threat that can be described in words. Companies using Hakimo can save approximately $125,000 per year compared to using traditional security guards.
Recommended read:
References :
- AiThority: Hakimo Secures $10.5Million to Transform Physical Security With Human-Like Autonomous Security Agent
- AI News | VentureBeat: The watchful AI that never sleeps: Hakimo’s $10.5M bet on autonomous security
- Unite.AI: Hakimo Raises $10.5M to Revolutionize Physical Security with Autonomous AI Agent
@www.helpnetsecurity.com
//
End-of-life Zyxel routers are under active attack via CVE-2024-40891, a command injection vulnerability, and the company has confirmed that no patches will be released. The affected models include VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500. Zyxel is advising users to replace these devices and those who obtained their Zyxel product through an internet service provider (ISP), to contact the ISP for support. Despite being EOL, approximately 1,500 affected systems with internet-facing Telnet interfaces remain in use worldwide.
Meanwhile, a security vulnerability, CVE-2025-23114, has been identified in the Veeam Updater component. This vulnerability allows Man-in-the-Middle attackers to execute arbitrary code on affected servers due to a failure to properly validate TLS certificates. The Veeam Backup vulnerability impacts Veeam Backup for AWS, Veeam Backup for Google Cloud, Veeam Backup for Microsoft Azure, Veeam Backup for Nutanix AHV, Oracle Linux Virtualization Manager and Red Hat Virtualization, Veeam Backup for Salesforce. Users are advised to review Veeam's knowledge base article KB4712 for further information and mitigation steps.
Recommended read:
References :
- gbhackers.com: GBHackers' article detailing the critical Veeam backup vulnerability and RCE.
- securityonline.info: SecurityOnline's article on CVE-2025-23114, highlighting the remote code execution risk.
- socca.tech: Socca.tech's vulnerability assessment report on CVE-2025-23114.
- gbhackers.com: Veeam Backup Vulnerability Allows Attackers to Execute Arbitrary Code
- securityonline.info: CVE-2025-23114 (CVSS 9.0): Critical Veeam Backup Vulnerability Enables Remote Code Execution
- socradar.io: Critical Veeam Vulnerability (CVE-2025-23114) Exposes Backup Servers to Remote Code Execution
- : CVE-2025-23114 (9.0 critical) A vulnerability within the Veeam Updater component that allows an attacker to utilize a Man-in-the-Middle attack to execute arbitrary code on the affected appliance server with root-level permissions.
- www.heise.de: Veeam Backup: Code smuggling possible through MitM gap in updater Veeam Backup contains an updater that is vulnerable to man-in-the-middle attacks.
- The Hacker News: New Veeam Flaw Allows Arbitrary Code Execution via Man-in-the-Middle Attack
- nvd.nist.gov: The National Vulnerability Database (NVD) provides details about the vulnerability, including its severity and potential impact.
- www.veeam.com: Veeam's official knowledge base article details the vulnerability, provides guidance on mitigating the risk, and outlines recommended actions.
- www.helpnetsecurity.com: There will be no patches for EOL Zyxel routers under attack via CVE-2024-40891
Microsoft Threat@Microsoft Security Blog
//
The U.S. Department of Justice has indicted 12 Chinese individuals for over a decade of global hacking intrusions, including a breach of the U.S. Treasury last year. The individuals include eight staffers for the contractor i-Soon, two officials at China’s Ministry of Public Security, and two other alleged hackers belonging to the APT27 group, also known as Silk Typhoon. The group is accused of targeting U.S. state and federal agencies, foreign ministries across Asia, Chinese dissidents, and U.S.-based media outlets critical of the Chinese government.
Microsoft Threat Intelligence has detected a new variant of XCSSET, a macOS malware targeting Xcode projects, since 2022. This variant features enhanced obfuscation, updated persistence mechanisms, and new infection strategies. It steals and exfiltrates files and system/user information, including digital wallet data and notes. The malware's modular approach and encoded payloads make detection and removal challenging, even allowing it to remain fileless.
Recommended read:
@www.forbes.com
//
A new report by Citizen Lab and the EFF Threat Lab has uncovered critical security vulnerabilities within the popular Chinese social media application, RedNote. The analysis, conducted on version 8.59.5 of the app, revealed that RedNote transmits user content, including viewed images and videos, over unencrypted HTTP connections. This exposes sensitive user data to potential network eavesdroppers, who can readily access the content being browsed.
Additionally, the report highlights that the Android version of RedNote contains a vulnerability that could allow attackers to access the contents of files on a user's device. The app also transmits device metadata without adequate encryption, sometimes even when using TLS, potentially enabling attackers to learn about a user's device screen size and mobile network carrier. Despite responsible disclosures to RedNote and its vendors NEXTDATA and MobTech in late 2024 and early 2025, no response has been received regarding these critical security flaws.
Recommended read:
References :
- citizenlab.ca: The report highlights three serious security issues in the RedNote app.
- Deeplinks: The EFF Threat Lab confirmed the Citizen Lab findings about Red Note.
- www.forbes.com: Is RedNote Safe? Here's What Millions of TikTok Users Need to Know
- Deeplinks: Crimson Memo: Analyzing the Privacy Impact of Xiaohongshu AKA Red Note
@socket.dev
//
The Open Source Security Foundation (OpenSSF), a Linux Foundation cross-industry initiative, has launched the Open Source Project Security Baseline (OSPS Baseline), a tiered framework designed to standardize security practices for open source projects. This initiative aims to provide practical and impactful security best practices, enhancing software development and consumption security for projects of all sizes. The OSPS Baseline compiles existing guidance from OpenSSF and other expert groups, offering actionable steps to improve the security posture of open source software.
The OSPS Baseline organizes controls into three maturity levels, catering to projects with varying numbers of maintainers and users. These levels address crucial areas such as access control, documentation, governance, build and release processes, security assessment, and vulnerability management. By adhering to the Baseline, developers can build a foundation that supports compliance with global cybersecurity regulations, including the EU Cyber Resilience Act (CRA) and U.S. National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF). OpenSSF invites open source developers, maintainers, and organizations to utilize the OSPS Baseline to refine the framework and promote the adoption of security best practices in the open source community.
Recommended read:
References :
- Help Net Security: OSPS Baseline: Practical security best practices for open source software projects
- Tenable Blog: Check out a new framework for better securing open source projects. Plus, learn how AI is making ransomware harder to detect and mitigate.
- socket.dev: OpenSSF Launches Open Source Project Security Baseline to Strengthen Software Supply Chain
- OpenSSF: The February 2025 Newsletter is out! Get the latest on:
Community Days 2025 – Register for Denver & Amsterdam
OSPS Baseline – New framework to secure open source projects
@PCWorld
//
Google Chrome has introduced a new layer of security, integrating AI into its existing "Enhanced protection" feature. This update provides real-time defense against dangerous websites, downloads, and browser extensions, marking a significant upgrade to Chrome's security capabilities. The AI integration allows for immediate analysis of patterns, enabling the identification of suspicious webpages that may not yet be classified as malicious.
This AI-powered security feature is an enhancement of Chrome's Safe Browsing. The technology apparently enables real-time analysis of patterns to identify suspicious or dangerous webpages. The improved protection also extends to deep scanning of downloads to detect suspicious files.
Recommended read:
References :
- BleepingComputer: Google Chrome has updated the existing "Enhanced protection" feature with AI to offer "real-time" protection against dangerous websites, downloads and extensions.
- Anonymous ???????? :af:: Google Chrome has updated the existing "Enhanced protection" feature with AI to offer "real-time" protection against dangerous websites, downloads and extensions.
- PCWorld: Google Chrome adds real-time AI protection against dangerous content
@www.bleepingcomputer.com
//
Critical security vulnerabilities have been patched in Juniper Networks Session Smart Routers and several Atlassian products. A critical authentication bypass vulnerability, identified as CVE-2025-21589, affects Juniper's Session Smart Router, Conductor, and WAN Assurance Managed Routers. Juniper Networks has released a patch to address this flaw, which could allow attackers to bypass authentication and gain control of affected Session Smart Router devices.
Australian software firm Atlassian has also released security patches to address 12 critical and high-severity vulnerabilities across its product suite, including Bamboo, Bitbucket, Confluence, Crowd, and Jira. Among the most severe vulnerabilities fixed is CVE-2024-50379, which has a CVSS score of 9.8 and could lead to remote code execution. Users of these products are strongly advised to apply the available patches as soon as possible to mitigate potential risks.
Recommended read:
References :
- Anonymous ???????? :af:: Juniper Networks has patched a critical vulnerability that allows attackers to bypass authentication and take over Session Smart Router (SSR) devices.
- securityaffairs.com: Australian software firm Atlassian patched 12 critical and high-severity flaws in Bamboo, Bitbucket, Confluence, Crowd, and Jira. Software firm Atlassian released security patches to address 12 critical- and high-severity vulnerabilities in Bamboo, Bitbucket, Confluence, Crowd, and Jira products. The most severe vulnerabilities addressed by the company are: CVE-2024-50379 – (CVSS score of 9.8) – RCE
Viplav Kushwah (noreply@blogger.com)@cysecurity.news
//
Quishing, or QR code phishing, has emerged as a significant cyber threat, exploiting the widespread use of QR codes. Scammers are using counterfeit QR codes to redirect users to fraudulent websites, initiate malware downloads, or steal sensitive information. These malicious codes are embedded in various places, including emails, invoices, flyers, and even physical locations like restaurant menus, preying on the trust users have in QR codes for quick access to digital services.
The techniques used in quishing attacks vary, from embedding fake QR codes in email attachments that appear legitimate to replacing genuine QR codes in public spaces. Cybercriminals often impersonate trusted entities, such as banks, to trick victims into scanning the codes. Consequences of falling victim to quishing can include financial loss, data breaches, and malware deployment, which can compromise both personal and corporate systems. To mitigate these risks, organizations should educate employees about the dangers of scanning unverified QR codes and implement advanced security tools like email security systems with dynamic URL analysis to detect malicious QR codes.
Recommended read:
References :
- Cyber Security News: QR Code Phishing (Quishing) Emerges as a Leading Cyber Threat
- gbhackers.com: Quishing via QR Codes Emerging as a Top Attack Vector Used by Hackers
- www.cysecurity.news: “Quishingâ€
is the process of placing a malicious URL into a QR code.
- Blog RSS Feed: "Quishing" - The Emerging Threat of Fake QR Codes
- cyberpress.org: Article about QR code phishing (quishing) emerging as a leading cyber threat.
Field Effect@Blog
//
The Australian government has banned Kaspersky Lab products and web services from all government systems, citing an "unacceptable security risk" stemming from potential foreign interference, espionage, and sabotage. Effective April 1, 2025, government entities must remove the software, reflecting concerns about Kaspersky's data collection practices and possible exposure to foreign government influence. The ban follows a threat and risk analysis that concluded the software posed a significant threat to Australian Government networks and data.
The directive aims to also encourage critical infrastructure providers and personal users to reconsider their use of Kaspersky products due to the identified security risks. While the directive does not explicitly name the foreign government, Kaspersky Lab is a Russian cybersecurity company, raising concerns about ties to the Russian government. Similar bans have been implemented in other countries, including the United States, which banned Kaspersky products from federal systems back in 2017. Exemptions to the ban may be considered for legitimate business reasons related to national security, subject to appropriate mitigations.
Recommended read:
References :
- BleepingComputer: The Australian government has banned all Kaspersky Lab products and web services from its systems and devices following an analysis that claims the company poses a significant security risk to the country.
- securityaffairs.com: Australia bans Kaspersky software over national security concerns, citing risks of foreign interference, espionage, and sabotage of government networks.
- Talkback Resources: The Australian Government has banned Kaspersky Lab products and web services from all government systems and devices due to security concerns related to potential foreign interference and espionage, effective April 1, 2025.
- Talkback Resources: Australia Bans Kaspersky Software Over National Security and Espionage Concerns [app]
- Blog: FieldEffect reports on the Australian government banning Kaspersky software.
|
|