Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Security. Show all posts
DOE
AI Advancements AI cybersecurity AI Models AI Systems AI technology critical infrastructures Cyber Security DOE

Genesis Mission Launches as US Builds Closed-Loop AI System Linking National Laboratories

 

The United States has announced a major federal scientific initiative known as the Genesis Mission, framed by the administration as a transformational leap forward in how national research will be conducted. Revealed on November 24, 2025, the mission is described by the White House as the most ambitious federal science effort since the Manhattan Project. The accompanying executive order tasks the Department of Energy with creating an interconnected “closed-loop AI experimentation platform” that will join the nation’s supercomputers, 17 national laboratories, and decades of research datasets into one integrated system. 

Federal statements position the initiative as a way to speed scientific breakthroughs in areas such as quantum engineering, fusion, advanced semiconductors, biotechnology, and critical materials. DOE has called the system “the most complex scientific instrument ever built,” describing it as a mechanism designed to double research productivity by linking experiment automation, data processing, and AI models into a single continuous pipeline. The executive order requires DOE to progress rapidly, outlining milestones across the next nine months that include cataloging datasets, mapping computing capacity, and demonstrating early functionality for at least one scientific challenge. 

The Genesis Mission will not operate solely as a federal project. DOE’s launch materials confirm that the platform is being developed alongside a broad coalition of private, academic, nonprofit, cloud, and industrial partners. The roster includes major technology companies such as Microsoft, Google, OpenAI for Government, NVIDIA, AWS, Anthropic, Dell Technologies, IBM, and HPE, alongside aerospace companies, semiconductor firms, and energy providers. Their involvement signals that Genesis is designed not only to modernize public research, but also to serve as part of a broader industrial and national capability. 

However, key details remain unclear. The administration has not provided a cost estimate, funding breakdown, or explanation of how platform access will be structured. Major news organizations have already noted that the order contains no explicit budget allocation, meaning future appropriations or resource repurposing will determine implementation. This absence has sparked debate across the AI research community, particularly among smaller labs and industry observers who worry that the platform could indirectly benefit large frontier-model developers facing high computational costs. 

The order also lays the groundwork for standardized intellectual-property agreements, data governance rules, commercialization pathways, and security requirements—signaling a tightly controlled environment rather than an open-access scientific commons. Certain community reactions highlight how the initiative could reshape debates around open-source AI, public research access, and the balance of federal and private influence in high-performance computing. While its long-term shape is not yet clear, the Genesis Mission marks a pivotal shift in how the United States intends to organize, govern, and accelerate scientific advancement using artificial intelligence and national infrastructure.
Read more »
Ransomware
Akira Cyber Security Data Extortion Ransomware

Akira Ramps up Ransomware Activity With New Variant And More Aggressive Intrusion Methods

 


Akira, one of the most active ransomware operations this year, has expanded its capabilities and increased the scale of its attacks, according to new threat intelligence shared by global security agencies. The group’s operators have upgraded their ransomware toolkit, continued to target a broad range of sectors, and sharply increased the financial impact of their attacks.

Data collected from public extortion portals shows that by the end of September 2025 the group had claimed roughly 244.17 million dollars in ransom proceeds. Analysts note that this figure represents a steep rise compared to estimates released in early 2024. Current tracking data places Akira second in overall activity among hundreds of monitored ransomware groups, with more than 620 victim organisations listed this year.

The growing number of incidents has prompted an updated joint advisory from international cyber authorities. The latest report outlines newly observed techniques, warns of the group’s expanded targeting, and urges all organisations to review their defensive posture.

Researchers confirm that Akira has introduced a new ransomware strain, commonly referenced as Akira v2. This version is designed to encrypt files at higher speeds and make data recovery significantly harder. Systems affected by the new variant often show one of several extensions, which include akira, powerranges, akiranew, and aki. Victims typically find ransom instructions stored as text files in both the main system directory and user folders.

Investigations show that Akira actors gain entry through several familiar but effective routes. These include exploiting security gaps in edge devices and backup servers, taking advantage of authentication bypass and scripting flaws, and using buffer overflow vulnerabilities to run malicious code. Stolen or brute forced credentials remain a common factor, especially when multi factor authentication is disabled.

Once inside a network, the attackers quickly establish long-term access. They generate new domain accounts, including administrative profiles, and have repeatedly created an account named itadm during intrusions. The group also uses legitimate system tools to explore networks and identify sensitive assets. This includes commands used for domain discovery and open-source frameworks designed for remote execution. In many cases, the attackers uninstall endpoint detection products, change firewall rules, and disable antivirus tools to remain unnoticed.

The group has also expanded its focus to virtual and cloud based environments. Security teams recently observed the encryption of virtual machine disk files on Nutanix AHV, in addition to previous activity on VMware ESXi and Hyper-V platforms. In one incident, operators temporarily powered down a domain controller to copy protected virtual disk files and load them onto a new virtual machine, allowing them to access privileged credentials.

Command and control activity is often routed through encrypted tunnels, and recent intrusions show the use of tunnelling services to mask traffic. Authorities warn that data theft can occur within hours of initial access.

Security agencies stress that the most effective defence remains prompt patching of known exploited vulnerabilities, enforcing multi factor authentication on all remote services, monitoring for unusual account creation, and ensuring that backup systems are fully secured and tested.



Read more »
threats
Automation Cyber Security Cybersecurity Germany Recruitment Shortage threats

Germany’s Cyber Skills Shortage Leaves Companies Exposed to Record Cyberattacks

 

Germany faces a critical shortage of cybersecurity specialists amid a surge in cyberattacks that caused record damages of €202.4 billion in 2024, according to a study by Strategy&, a unit of PwC. The study found that nine out of 10 organizations surveyed reported a shortage of cybersecurity experts, a sharp increase from two-thirds in 2023. 

Key institutions such as German air traffic control, the Federal Statistical Office, and the Society for Eastern European Studies were targeted by foreign cyberattacks, highlighting the nation’s digital vulnerability. Russia and China were specifically identified as significant cyber threats.

The overall damage to German organizations from cyber-related incidents in 2024 reached €267 billion, with cyberattacks themselves accounting for about €179 billion. Other forms of damage included theft of data, IT equipment, and various acts of espionage and sabotage. Despite the growing threat, the recruitment landscape for cybersecurity roles is bleak.

Only half of the public sector's job ads for cybersecurity specialists attracted more than 10 applicants, and a decline in applications has been noted. Over two-thirds of organizations reported that applicants either partially met or failed to meet the qualifications, with notable gaps in knowledge about cybersecurity standards and data protection.

The most acute shortage exists in critical roles such as risk management, where 57% of respondents identified major gaps in positions responsible for recognizing and responding to cyber threats. Financial constraints pose another barrier to hiring, especially in the public sector, where 78% cited budget issues as a reason for not filling positions, compared to 48% in the private sector. 

Low pay contributes significantly to high staff turnover. Many experts in urgent demand in the public sector are moving to tech companies offering better salaries, exacerbating the problem. The study also revealed that only about 20% of organizations have strategically employed AI to alleviate staff shortages. Experts recommend using bonuses, allowances, outsourcing, and automation to retain talent and improve efficiency. 

Without these interventions, the study warns that bottlenecks in security-critical roles will persist, potentially crippling the ability of institutions to operate and jeopardizing Germany’s overall digital resilience. Strengthening cyber expertise through targeted incentives and international recruitment is urgent to counter these growing challenges. This situation poses a serious risk to the country's cybersecurity defenses and operational readiness .
Read more »
vulnerability exploitation
AI cyberattacks Cyber Security Cybersecurity Threats fileless ransomware nation-state hackers Ransomware Groups Rapid7 report vulnerability exploitation

Cybercriminals Speed Up Tactics as AI-Driven Attacks, Ransomware Alliances, and Rapid Exploitation Reshape Threat Landscape

 

Cybercriminals are rapidly advancing their attack methods, strengthening partnerships, and harnessing artificial intelligence to gain an edge over defenders, according to new threat intelligence. Rapid7’s latest quarterly findings paint a picture of a threat environment that is evolving at high speed, with attackers leaning on fileless ransomware, instant exploitation of vulnerabilities, and AI-enabled phishing operations.

While newly exploited vulnerabilities fell by 21% compared to the previous quarter, threat actors are increasingly turning to long-standing unpatched flaws—some over a decade old. These outdated weaknesses remain potent entry points, reflected in widespread attacks targeting Microsoft SharePoint and Cisco ASA/FTD devices via recently revealed critical bugs.

The report also notes a shrinking window between public disclosure of vulnerabilities and active exploitation, leaving organisations with less time to respond.

"The moment a vulnerability is disclosed, it becomes a bullet in the attacker's arsenal," said Christiaan Beek, Senior Director of Threat Intelligence and Analytics, Rapid7.
"Attackers are no longer waiting. Instead, they're weaponising vulnerabilities in real time and turning every disclosure into an opportunity for exploitation. Organisations must now assume that exploitation begins the moment a vulnerability is made public and act accordingly," said Beek.

The number of active ransomware groups surged from 65 to 88 this quarter. Rapid7’s analysis shows increasing consolidation among these syndicates, with groups pooling infrastructure, blending tactics, and even coordinating public messaging to increase their reach. Prominent operators such as Qilin, SafePay, and WorldLeaks adopted fileless techniques, launched extensive data-leak operations, and introduced affiliate services such as ransom negotiation assistance. Sectors including business services, healthcare, and manufacturing were among the most frequently targeted.

"Ransomware has evolved significantly beyond its early days to become a calculated strategy that destabilises industries," said Raj Samani, Chief Scientist, Rapid7.
"In addition, the groups themselves are operating like shadow corporations. They merge infrastructure, tactics, and PR strategies to project dominance and erode trust faster than ever," said Samani.

Generative AI continues to lower the barrier for cybercriminals, enabling them to automate and scale phishing and malware development. The report points to malware families such as LAMEHUG, which now have advanced adaptive features, allowing them to issue new commands on the fly and evade standard detection tools.

AI is making it easier for inexperienced attackers to craft realistic, large-volume phishing campaigns, creating new obstacles for security teams already struggling to keep pace with modern threats.

State-linked actors from Russia, China, and Iran are also evolving, shifting from straightforward espionage to intricate hybrid operations that blend intelligence collection with disruptive actions. Many of these campaigns focus on infiltrating supply chains and compromising identity systems, employing stealthy tactics to maintain long-term access and avoid detection.

Overall, Rapid7’s quarterly analysis emphasises the urgent need for organisations to modernise their security strategies to counter the speed, coordination, and technological sophistication of today’s attackers.
Read more »
monitoring
Apple Apple ID Cyber Privacy Cyber Security Data Safety data security Digital Privacy enhanced user privacy monitoring

Apple’s Digital ID Tool Sparks Privacy Debate Despite Promised Security

 

Apple’s newly introduced Digital ID feature has quickly ignited a divide among users and cybersecurity professionals, with reactions ranging from excitement to deep skepticism. Announced earlier this week, the feature gives U.S. iPhone owners a way to present their passport directly from Apple Wallet at Transportation Security Administration checkpoints across more than 250 airports nationwide. Designed to replace the need for physical identity documents at select travel touchpoints, the rollout marks a major step in Apple’s broader effort to make digital credentials mainstream. But the move has sparked conversations about how willing society should be to entrust critical identity information to smartphones. 

On one side are supporters who welcome the convenience of leaving physical IDs at home, believing Apple’s security infrastructure offers a safer and more streamlined travel experience. On the other side are privacy advocates who fear that such technology could pave the way for increased surveillance and data misuse, especially if government agencies gain new avenues to track citizens. These concerns mirror wider debates already unfolding in regions like the United Kingdom and the European Union, where national and bloc-wide digital identity programs have faced opposition from civil liberties organizations. 

Apple states that its Digital ID system relies on advanced encryption and on-device storage to protect sensitive information from unauthorized access. Unlike cloud-based sharing models, Apple notes that passport data will remain confined to the user’s iPhone, and only the minimal information necessary for verification will be transmitted during identification checks. Authentication through Face ID or Touch ID is required to access the ID, aiming to ensure that no one else can view or alter the data. Apple has emphasized that it does not gain access to passport details and claims its design prioritizes privacy at every stage. 

Despite these assurances, cybersecurity experts and digital rights advocates are unconvinced. Jason Bassler, co-founder of The Free Thought Project, argued publicly that increasing reliance on smartphone-based identity tools could normalize a culture of compromised privacy dressed up as convenience. He warned that once the public becomes comfortable with digital credentials, resistance to broader forms of monitoring may fade. Other specialists, such as Swiss security researcher Jean-Paul Donner, note that iPhone security is not impenetrable, and both hackers and law enforcement have previously circumvented device protections. 

Major organizations like the ACLU, EFF, and CDT have also called for strict safeguards, insisting that identity systems must be designed to prevent authorities from tracking when or where identification is used. They argue that without explicit structural barriers to surveillance, the technology could be exploited in ways that undermine civil liberties. 

Whether Apple can fully guarantee the safety and independence of digital identity data remains an open question. As adoption expands and security is tested in practice, the debate over convenience versus privacy is unlikely to go away anytime soon. TechRadar is continuing to consult industry experts and will provide updates as more insights emerge.
Read more »
WhatsApp Security
Cross-Platform Messaging Cyber Security Digital Markets Act Encrypted Communication EU Tech Regulation Messaging Compliance Meta Interoperability Secure Connectivity Third-Party Chats WhatsApp Security

Users Will Soon Text From External Apps Directly Inside WhatsApp

 


WhatsApp is taking a significant step towards ensuring greater digital openness across Europe by enabling seamless communication that extends beyond the borders of its own platform, making it closer to enabling seamless communication that extends beyond the confines of its platform itself. 

According to the requirements for interoperability outlined in the EU’s Digital Markets Act, the company is preparing to add third-party chat support to its chat services within the European Union. A new feature that is being offered by WhatsApp will allow users to communicate with users on other messaging services which are willing to integrate with the WhatsApp framework. This feature can be opted into by individuals who choose to opt in. 

An initial rollout, planned in Europe for both Android and iOS devices, will cover the basics like text, photos, videos, voice notes, and files, while a later phase will include a broader range of capabilities, including cross-platform group chats. 

The new system is offered as an option and can be controlled in the application's settings. However, WhatsApp's new features have been built in a way that ensures that end-to-end encryption standards are maintained within WhatsApp's existing security protocols, ensuring users' privacy is never compromised as a result of expanding connectivity. 

A few users in the European Union have reported a new "third-party chats" section in their WhatsApp account settings, which indicates that WhatsApp may be expanding its cross-platform ambitions. While this feature is still under development and has not yet been formally introduced, it gives a glimpse into how the platform intends to streamline communication across multiple platforms by making it easier to communicate. 

The Messenger app also offers users the option to sync their messages, photos, videos, voice messages, and documents with external apps, allowing them to exchange messages, photos, videos, voice notes, and documents with these apps or separate them into a separate section that is clearly identified and accessible to them.

It is important to note that some WhatsApp functions, including status posts, disappearing messages, and stickers, remain unsupported for the time being, and there are some limitations in place, such as the possibility of receiving messages from individuals previously blocked on WhatsApp who initiate contact through another platform. 

When users receive incoming message requests from third-party platforms, they can choose to respond immediately to messages or review them at their convenience according to how they want. In addition to providing a detailed preview of how the cross-platform experience will function once it has been released to a broader audience, WhatsApp’s testing phase will also give an in-depth look at how the cross-platform experience functions in real life. 

In parts of the European Union, Google is undergoing test trials regarding a new setting that exists within the app, known as "third-party chats," and allows users to exchange text messages, images, videos, voice notes, and documents with compatible external services through these third-party chats. In the beta period, BirdyChat seems to be the only app that is connected, but as more platforms adopt the required technical framework, there is expected to be a broader interoperability.

It is up to the user to decide whether to store these conversations in his or her primary inbox or separate folders based on his or her individual preferences. Some platform-specific tools, such as status updates, disappearing messages, and stickers, will not carry over to external exchanges, since they will only be accessible on WhatsApp. This feature is entirely optional, allowing those satisfied with WhatsApp's existing environment to leave it disabled. Further, WhatsApp blocked users are still able to reach out to those blocked via a third-party application, which the company has noted in its testing. 

Although WhatsApp's own communication channels continue to be encrypted end-to-end, the level of protection for messages that are exchanged with other platforms is a result of the encryption policies adopted by those services. The company maintains that it cannot read the content of chats sent by third parties, even when they are accessed through WhatsApp' interface. 

Despite months of controlled testing, what has been done to highlight the progress made through the cross-platform initiative is now moving into a broader rollout phase. As part of a recent announcement by the company, we learned that WhatsApp users in the European region will shortly be able to communicate directly with people using BirdyChat and Haiket by using the newly introduced third-party chat feature. 

Meta describes this advance as a key milestone that will help Meta meet the EU's requirements for interoperability under the Digital Markets Act of the European Union. The new feature will enable European users to send messages, images, voice notes, videos, and files via external platforms to their external contacts and as soon as partner services complete their own technical preparations, users will be able to exchange group messages and images with each other. 

A notification will appear in the Settings tab to guide users through the opt-in process as Meta plans to enter this feature gradually over the coming weeks. Currently, the feature is only compatible with Android and iOS, leaving desktop, web, and tablet versions of the app unaffected. 

As Meta points out, these partnerships were developed over the course of several years as a result of repeated efforts by European messaging providers and the European Commission to establish an interoperability framework that is both DMA-compliant and protects the privacy of users. It is mandatory for all third-party interactions to follow encryption protocols, which are consistent with WhatsApp's own end-to-end protections. 

Furthermore, the interface has been designed to make it easy for users to distinguish between native and external chats. The system was already previewed by Meta in late 2024, which included features like a dedicated folder for third-party messages and an alert system when a new external messaging service becomes available for use. In accordance with the Digital Markets Act, WhatsApp is under pressure to support only the most basic messaging functionality. 

However, WhatsApp is in the process of developing advanced features for third-party chat users who enable the function. A number of advanced interaction features will accompany the initial rollout of Meta's communication services, such as message reaction, threaded replies, typing indicator, and read receipts, ensuring a smoother and more familiar communication process across multiple services.

There is also a long-term roadmap that has been developed by the company, which includes the introduction of cross-platform group chats in 2025, as well as the implementation of voice and video calling by 2027, once technical integrations have matured. 

Aside from the fact that WhatsApp emphasizes that the wider availability of these features depends on how soon other messaging apps will embrace the necessary standards for interoperability, the company believes the ultimate goal is to create an intuitive, secure platform that allows users to seamlessly communicate across multiple platforms with ease and without any hassle.

A feature like the one listed above, as WhatsApp moves steadily towards a more integrated messaging ecosystem, will likely have a long-term impact that extends beyond the convenience it provides. As WhatsApp opens its doors to external platforms, it is positioning itself at the center of a unified digital communication landscape—one in which users will not have to juggle a variety of applications in order to remain in touch.

The shift provides consumers with greater flexibility, a wider reach, and fewer barriers between services, while for developers it creates a new competitive environment based on interoperability rather than isolation. It is quite likely that, if this transition is executed well, it will redefine how millions of people around the world navigate their daily lives.
Read more »
Mobile Spyware
Android Smartphone CVE CVE exploits CVE vulnerability CVEs Cyber Security Exploits Landfall mobile security measures Mobile Spyware

Samsung Zero-Day Exploit “Landfall” Targeted Galaxy Devices Before April Patch

 

A recently disclosed zero-day vulnerability affecting several of Samsung’s flagship smartphones has raised renewed concerns around mobile device security. Researchers from Palo Alto Networks’ Unit 42 revealed that attackers had been exploiting a flaw in Samsung’s image processing library, tracked as CVE-2025-21042, for months before a security fix was released. The vulnerability, which the researchers named “Landfall,” allowed threat actors to compromise devices using weaponized image files without requiring any interaction from the victim. 

The flaw impacted premium Samsung models across the Galaxy S22, S23, and S24 generations as well as the Galaxy Z Fold 4 and Galaxy Z Flip 4. Unit 42 found that attackers could embed malicious data into DNG image files, disguising them with .jpeg extensions to appear legitimate and avoid suspicion. These files could be delivered through everyday communication channels such as WhatsApp, where users are accustomed to receiving shared photos. Because the exploit required no clicks and relied solely on the image being processed, even careful users were at risk. 

Once installed, spyware leveraging Landfall could obtain access to sensitive data stored on the device, including photos, contacts, and location information. It was also capable of recording audio and collecting call logs, giving attackers broad surveillance capabilities. The targeting appeared focused primarily on users in the Middle East, with infections detected in countries such as Iraq, Iran, Turkey, and Morocco. Samsung was first alerted to the exploit in September 2024 and issued a patch in April, closing the zero-day vulnerability across affected devices.  

The seriousness of the flaw prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to place CVE-2025-21042 in its Known Exploited Vulnerabilities catalog, a list reserved for security issues actively abused in attacks. Federal agencies have been instructed to ensure that any vulnerable Samsung devices under their management are updated no later than December 1st, reflecting the urgency of mitigation efforts.  

For consumers, the incident underscores the importance of maintaining strong cybersecurity habits on mobile devices. Regularly updating the operating system is one of the most effective defenses against emerging exploits, as patches often include protections for newly discovered vulnerabilities. Users are also encouraged to be cautious regarding unsolicited content, including media files sent from unknown contacts, and to avoid clicking links or downloading attachments they cannot verify. 

Security experts additionally recommend using reputable mobile security tools alongside Google Play Protect to strengthen device defenses. Many modern Android antivirus apps offer supplementary safeguards such as phishing alerts, VPN access, and warnings about malicious websites. 

Zero-day attacks remain an unavoidable challenge in the smartphone landscape, as cybercriminals continually look for undiscovered flaws to exploit. But with proactive device updates and careful online behavior, users can significantly reduce their exposure to threats like Landfall and help ensure their personal data remains secure.
Read more »
faulty software update
Algorithmic security Computing Cyber Security Decoder fault-tolerant quantum computing faulty software update

Quantum Error Correction Moves From Theory to Practical Breakthroughs

Quantum computing’s biggest roadblock has always been fragility: qubits lose information at the slightest disturbance, and protecting them requires linking many unstable physical qubits into a single logical qubit that can detect and repair errors. That redundancy works in principle, but the repeated checks and recovery cycles have historically imposed such heavy overhead that error correction remained mainly academic. Over the last year, however, a string of complementary advances suggests quantum error correction is transitioning from theory into engineering practice. 

Algorithmic improvements are cutting correction overheads by treating errors as correlated events rather than isolated failures. Techniques that combine transversal operations with smarter decoders reduce the number of measurement-and-repair rounds needed, shortening runtimes dramatically for certain hardware families. Platforms built from neutral atoms benefit especially from these methods because their qubits can be rearranged and operated on in parallel, enabling fewer, faster correction cycles without sacrificing accuracy.

On the hardware side, researchers have started to demonstrate logical qubits that outperform the raw physical qubits that compose them. Showing a logical qubit with lower effective error rates on real devices is a milestone: it proves that fault tolerance can deliver practical gains, not just theoretical resilience. Teams have even executed scaled-down versions of canonical quantum algorithms on error-protected hardware, moving the community from “can this work?” to “how do we make it useful?” 

Software and tooling are maturing to support these hardware and algorithmic wins. Open-source toolkits now let engineers simulate error-correction strategies before hardware commits, while real-time decoders and orchestration layers bridge quantum operations with the classical compute that must act on error signals. Training materials and developer platforms are emerging to close the skills gap, helping teams build, test, and operate QEC stacks more rapidly. 

That progress does not negate the engineering challenges ahead. Error correction still multiplies resource needs and demands significant classical processing for decoding in real time. Different qubit technologies present distinct wiring, control, and scaling trade-offs, and growing system size will expose new bottlenecks. Experts caution that advances are steady rather than explosive: integrating algorithms, hardware, and orchestration remains the hard part. 

Still, the arc is unmistakable. Faster algorithms, demonstrable logical qubits, and a growing ecosystem of software and training make quantum error correction an engineering discipline now, not a distant dream. The field has shifted from proving concepts to building repeatable systems, and while fault-tolerant, cryptographically relevant quantum machines are not yet here, the path toward reliable quantum computation is clearer than it has ever been.
Read more »
Threat Intelligence
ClickFix Cyber Security Malicious Campaign Social Engineering Threat Intelligence

ClickFix: The Silent Cyber Threat Tricking Families Worldwide

 

ClickFix has emerged as one of the most pervasive and dangerous cybersecurity threats in 2025, yet remains largely unknown to the average user and even many IT professionals. This social engineering technique manipulates users into executing malicious scripts—often just a single line of code—by tricking them with fake error messages, CAPTCHA prompts, or fraudulent browser update alerts.

The attack exploits the natural human desire to fix technical problems, bypassing most endpoint protections and affecting Windows, macOS, and Linux systems. ClickFix campaign typically begin when a victim encounters a legitimate-looking message urging them to run a script or command, often on compromised or spoofed websites. 

Once executed, the script connects the victim’s device to a server controlled by attackers, allowing stealthy installation of malware such as credential stealers (e.g., Lumma Stealer, SnakeStealer), remote access trojans (RATs), ransomware, cryptominers, and even nation-state-aligned malware. The technique is highly effective because it leverages “living off the land” binaries, which are legitimate system tools, making detection difficult for security software.

ClickFix attacks have surged by over 500% in 2025, accounting for nearly 8% of all blocked attacks and ranking as the second most common attack vector after traditional phishing. Threat actors are now selling ClickFix builders to automate the creation of weaponized landing pages, further accelerating the spread of these attacks. Victims are often ordinary users, including families, who may lack the technical knowledge to distinguish legitimate error messages from malicious ones.

The real-world impact of ClickFix is extensive: it enables attackers to steal sensitive information, hijack browser sessions, install malicious extensions, and even execute ransomware attacks. Cybersecurity firms and agencies are urging users to exercise caution with prompts to run scripts and to verify the authenticity of error messages before taking any action. Proactive human risk management and user education are essential to mitigate the threat posed by ClickFix and similar social engineering tactics.
Read more »
cybersecurity vulnerability
Critical Exploits Critical Vulnerability CVE CVE exploits CVE vulnerability CVEs Cyber Security cybersecurity vulnerability

New runC Vulnerabilities Expose Docker and Kubernetes Environments to Potential Host Breakouts

 

Three newly uncovered vulnerabilities in the runC container runtime have raised significant concerns for organizations relying on Docker, Kubernetes, and other container-based systems. The flaws, identified as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, were disclosed by SUSE engineer and Open Container Initiative board member Aleksa Sarai. Because runC serves as the core OCI reference implementation responsible for creating container processes, configuring namespaces, managing mounts, and orchestrating cgroups, weaknesses at this level have broad consequences for modern cloud and DevOps infrastructure. 

The issues stem from the way runC handles several low-level operations, which attackers could manipulate to escape the container boundary and obtain root-level write access on the underlying host system. All three vulnerabilities allow adversaries to redirect or tamper with mount operations or trigger writes to sensitive files, ultimately undoing the isolation that containers are designed to enforce. CVE-2025-31133 involves a flaw where runC attempts to “mask” system files by bind-mounting /dev/null. If an attacker replaces /dev/null with a symlink during initialization, runC can end up mounting an attacker-chosen location read-write inside the container, enabling potential writes to the /proc filesystem and allowing escape. 

CVE-2025-52565 presents a related problem involving races and symlink redirection. The bind mount intended for /dev/console can be manipulated so that runC unknowingly mounts an unintended target before full protections are in place. This again opens a window for writes to critical procfs entries, providing an attacker with a pathway out of the container. The third flaw, CVE-2025-52881, highlights how runC may be tricked into performing writes to /proc that get redirected to files controlled by the attacker. This behavior could bypass certain Linux Security Module relabel protections and turn routine runC operations into dangerous arbitrary writes, including to sensitive files such as /proc/sysrq-trigger. 

Two of the vulnerabilities—CVE-2025-31133 and CVE-2025-52881—affect all versions of runC, while CVE-2025-52565 impacts versions from 1.0.0-rc3 onward. Patches have been issued in runC versions 1.2.8, 1.3.3, 1.4.0-rc.3, and later. Security researchers at Sysdig noted that exploiting these flaws requires attackers to start containers with custom mount configurations, a condition that could be met via malicious Dockerfiles or harmful pre-built images. So far, there is no evidence of active exploitation, but the potential severity has prompted urgent guidance. Detection efforts should focus on monitoring suspicious symlink activity, according to Sysdig’s advisory. 

The runC team has also emphasized enabling user namespaces for all containers while avoiding mappings that equate the host’s root user with the container’s root. Doing so limits the scope of accessible files because user namespace restrictions prevent host-level file access. Security teams are further encouraged to adopt rootless containers where possible to minimize the blast radius of any successful attack. Even though traditional container isolation provides significant security benefits, these findings underscore the importance of layered defenses and continuous monitoring in containerized environments, especially as threat actors increasingly look for weaknesses at the infrastructure level.
Read more »
US
China Cyber Security firmware Routers US

U.S. Agencies Consider Restrictions on TP-Link Routers Over Security Risks

 



A coordinated review by several federal agencies in the United States has intensified scrutiny of TP-Link home routers, with officials considering whether the devices should continue to be available in the country. Recent reporting indicates that more than six departments and agencies have supported a proposal recommending restrictions because the routers may expose American data to security risks.

Public attention on the matter began in December 2024, when major U.S. outlets revealed that the Departments of Commerce, Defense and Justice had opened parallel investigations into TP-Link. The inquiries focused on whether the company’s corporate structure and overseas connections could create opportunities for foreign government influence. After those initial disclosures, little additional information surfaced until the Washington Post reported that the proposal had cleared interagency review.

Officials involved believe the potential risk comes from how TP-Link products collect and manage sensitive information, combined with the company’s operational ties to China. TP-Link strongly disputes the allegation that it is subject to any foreign authority and says its U.S. entity functions independently. The company maintains that it designs and manufactures its devices without any outside control.

TP-Link was founded in Shenzhen in 1996 and reorganized in 2024 into two entities: TP-Link Technologies and TP-Link Systems. The U.S. arm, TP-Link Systems, operates from Irvine, California, with roughly 500 domestic employees and thousands more across its global workforce. Lawmakers previously expressed concern that companies with overseas operations may be required to comply with foreign legal demands. They also cited past incidents in which compromised routers, including those from TP-Link, were used by threat actors during cyber operations targeting the United States.

The company has grown rapidly in the U.S. router market since 2019. Some reports place its share at a majority of consumer sales, although TP-Link disputes those figures and points to independent data that estimates a smaller share. One industry platform found that about 12 percent of active U.S. home routers are TP-Link devices. Previous reporting also noted that more than 300 internet providers distribute TP-Link equipment to customers.

In a separate line of inquiry, the Department of Justice is examining whether TP-Link set prices at levels intended to undercut competitors. The company denies this and says its pricing remains sustainable and profitable.

Cybersecurity researchers have found security flaws in routers from many manufacturers, not only TP-Link. Independent analysts identified firmware implants linked to state-sponsored groups, as well as widespread botnet activity involving small office and home routers. A Microsoft study reported that some TP-Link devices became part of password spray attacks when users did not change default administrator credentials. Experts emphasize that router vulnerabilities are widespread across the industry and not limited to one brand.

Consumers who use TP-Link routers can reduce risk by updating administrator passwords, applying firmware updates, enabling modern encryption such as WPA3, turning on built-in firewalls, and considering reputable VPN services. Devices that no longer receive updates should be replaced.

The Department of Commerce has not issued a final ruling. Reports suggest that ongoing U.S. diplomatic discussions with China could influence the timeline. TP-Link has said it is willing to improve transparency, strengthen cybersecurity practices and relocate certain functions if required. 

Read more »
Modern Vehicles
autonomous vehicles car tracking Cyber Security cyberattacks on transportation cybersecurity vulnerability Hacker attack Modern Vehicles

Why Oslo’s Bus Security Tests Highlight the Hidden Risks of Connected Vehicles

 

Modern transportation looks very different from what it used to be, and the question of who controls a vehicle on the road no longer has a simple answer. Decades ago, the person behind the wheel was unquestionably the one in charge. But as cars, buses, and trucks increasingly rely on constant connectivity, automated functions, and remote software management, the definition of a “driver” has become more complicated. With vehicles now vulnerable to remote interference, the risks tied to this connectivity are prompting transportation agencies to take a closer look at what’s happening under the hood. 

This concern is central to a recent initiative by Ruter, the public transport agency responsible for Oslo and the surrounding Akershus region. Ruter conducted a detailed assessment of two electric bus models—one from Dutch manufacturer VDL and another from Chinese automaker Yutong—to evaluate the cybersecurity implications of integrating modern, connected vehicles into public transit networks. The goal was straightforward but crucial: determine whether any external entity could access bus controls or manipulate onboard camera systems. 

The VDL buses showed no major concerns because they lacked the capability for remote software updates, effectively limiting the pathways through which an attacker could interfere. The Yutong buses, however, presented a more complex picture. While one identified vulnerability tied to third-party software has since been fixed, Ruter’s investigation revealed a more troubling possibility: the buses could potentially be halted or disabled by the manufacturer through remote commands. Ruter is now implementing measures to slow or filter incoming signals so they can differentiate between legitimate updates and suspicious activity, reducing the chance of an unnoticed hijack attempt. 

Ruter’s interest in cybersecurity aligns with broader global concerns. The Associated Press noted that similar tests are being carried out by various organizations because the threat landscape continues to expand. High-profile demonstrations over the past decade have shown that connected vehicles are susceptible to remote interference. One of the most well-known examples was when WIRED journalist Andy Greenberg rode in a Jeep that hackers remotely manipulated, controlling everything from the brakes to the steering. More recent research, including reports from LiveScience, highlights attacks that can trick vehicles’ perception systems into detecting phantom obstacles. 

Remote software updates play an important role in keeping vehicles functional and reducing the need for physical recalls, but they also create new avenues for misuse. As vehicles become more digital than mechanical, transit agencies and governments must treat cybersecurity as a critical aspect of transportation safety. Oslo’s findings reinforce the reality that modern mobility is no longer just about engines and wheels—it’s about defending the invisible networks that keep those vehicles running.
Read more »
USB
Backup Cyber Security Data protection Encryption storage USB

USB Drives Are Handy, But Never For Your Only Backup

 

Storing important files on a USB drive offers convenience due to their ease of use and affordability, but there are significant considerations regarding both data preservation and security that users must address. USB drives, while widely used for backup, should not be solely relied upon for safeguarding crucial files, as various risks such as device failure, malware infection, and physical theft can compromise data integrity.

Data preservation challenges

USB drive longevity depends heavily on build quality, frequency of use, and storage conditions. Cheap flash drives carry a higher failure risk compared to rugged, high-grade SSDs, though even premium devices can malfunction unexpectedly. Relying on a single drive is risky; redundancy is the key to effective file preservation.

Users are encouraged to maintain multiple backups, ideally spanning different storage approaches—such as using several USB drives, local RAID setups, and cloud storage—for vital files. Each backup method has its trade-offs: local storage like RAID arrays provides resilience against hardware failure, while cloud storage via services such as Google Drive or Dropbox enables convenient access but introduces exposure to hacking or unauthorized access due to online vulnerabilities.

Malware and physical risks

All USB drives are susceptible to malware, especially when connected to compromised computers. Such infections can propagate, and in some cases, lead to ransomware attacks where files are held hostage. Additionally, used or secondhand USB drives pose heightened malware risks and should typically be avoided. Physical security is another concern; although USB drives are inaccessible remotely when unplugged, they are unprotected if stolen unless properly encrypted.

Encryption significantly improves USB drive security. Tools like BitLocker (Windows) and Disk Utility (MacOS) enable password protection, making it more difficult for thieves or unauthorized users to access files even if they obtain the physical device. Secure physical storage—such as safes or safety deposit boxes—further limits theft risk.

Recommended backup strategy

Most users should keep at least two backups: one local (such as a USB drive) and one cloud-based. This dual approach ensures data recovery if either the cloud service is compromised or the physical drive is lost or damaged. For extremely sensitive data, robust local systems with advanced encryption are preferable. Regularly simulating data loss scenarios and confirming your ability to restore lost files provides confidence and peace of mind in your backup strategy.
Read more »
Threat Intelligence
Cloud Security continuous monitoring Cyber Security Cybersecurity Endpoint Defense Incident response ransomware protection Risk Management SOC Operations Threat Intelligence

Continuous Incident Response Is Redefining Cybersecurity Strategy

 


With organizations now faced with relentless digital exposure, continuous security monitoring has become an operational necessity instead of a best practice, as organizations navigate an era where digital exposure is ubiquitous. In 2024, cyber-attacks will increase by nearly 30%, with the average enterprise having to deal with over 1,600 attempted intrusions a week, with the financial impact of a data breach regularly rising into six figures. 

Even so, the real crisis extends well beyond the rising level of threats. In the past, cybersecurity strategies relied on a familiar formula—detect quickly, respond promptly, recover quickly—but that cadence no longer suffices in an environment that is characterized by adversaries automating reconnaissance, exploiting cloud misconfiguration within minutes, and weaponizing legitimate tools so that they can move laterally far faster than human analysts are able to react. 

There has been a growing gap between what organizations can see and the ability to act as the result of successive waves of innovation, from EDR to XDR, as a result of which they have widened visibility across sprawling digital estates. The security operations center is already facing unprecedented complexity. Despite the fact that security operations teams juggle dozens of tools and struggle with floods of alerts that require manual validation, organisations are unable to act as quickly as they should. 

A recent accelerated disconnect between risk and security is transforming how security leaders understand risks and forcing them to face a difficult truth: visibility without speed is no longer an effective defence. When examining the threat patterns defining the year 2024, it becomes more apparent why this shift is necessary. According to security firms, attackers are increasingly using stealthy, fileless techniques to steal from their victims, with nearly four out of five detections categorised as malware-free today, with the majority of attacks classified as malware-free. 

As a result, ransomware activity has continued to climb steeply upward, rising by more than 80% on a year-over-year basis and striking small and midsized businesses the most disproportionately, accounting for approximately 70% of all recorded incidents. In recent years, phishing campaigns have become increasingly aggressive, with some vectors experiencing unprecedented spikes - some exceeding 1,200% - as adversaries use artificial intelligence to bypass human judgment. 

A number of SMBs remain structurally unprepared in spite of these pressures, with the majority acknowledging that they have become preferred targets, but three out of four of them continue to use informal or internally managed security measures. These risks are compounded by human error, which is responsible for an estimated 88% of reported cyber incidents. 

There have been staggering financial consequences as well; in the past five years alone, the UK has suffered losses of more than £44 billion, resulting in both immediate disruption and long-term revenue losses. Due to this, the industry’s definition of continuous cybersecurity is now much broader than periodic audits. 

It is necessary to maintain continuous threat monitoring, proactive vulnerability and exposure management, disciplined identity governance, sustained employee awareness programs, regularly tested incident response playbooks, and ongoing compliance monitoring—a posture which emphasizes continuous evaluation rather than reactive control as part of an operational strategy. Increasingly complex digital estates are creating unpredictable cyber risks, which are making continuous monitoring an essential part of modern defence strategies. 

Continuous monitoring is a real time monitoring system that scans systems, networks, and cloud environments in real time, in order to detect early signs of misconfiguration, compromise, or operational drift. In contrast to periodic checks which operate on a fixed schedule and leave long periods of exposure, continuous monitoring operates in real time. 

The approach outlined above aligns closely with the NIST guidance, which urges organizations to set up an adaptive monitoring strategy capable of ingesting a variety of data streams, analysing emerging vulnerabilities, and generating timely alerts for security teams to take action. Using continuous monitoring, organizations can discover latent weaknesses that are contributing to their overall cyber posture. 

Continuous monitoring reduces the frequency and severity of incidents, eases the burden on security personnel, and helps them meet increasing regulatory demands. Even so, maintaining such a level of vigilance remains a challenge, especially for small businesses that lack the resources, expertise, and tooling to operate around the clock in order to stay on top of their game. 

The majority of organizations therefore turn to external service providers in order to achieve the scalability and economic viability of continuous monitoring. Typically, effective continuous monitoring programs include four key components: a monitoring engine, analytics that can be used to identify anomalies and trends on a large scale, a dashboard that shows key risk indicators in real time, and an alerting system to ensure that emerging issues are quickly addressed by the appropriate staff. 

With the help of automation, security teams are now able to process a great deal of telemetry in a timely and accurate manner, replacing outdated or incomplete snapshots with live visibility into organisational risk, enabling them to respond successfully in a highly dynamic threat environment. 

Continuous monitoring can take on a variety of forms, depending on the asset in focus, including endpoint monitoring, network traffic analysis, application performance tracking, cloud and container observability, etc., all of which provide an important layer of protection against attacks as they spread across every aspect of the digital infrastructure. 

It has also been shown that the dissolution of traditional network perimeters is a key contributor to the push toward continuous response. In the current world of cloud-based workloads, SaaS-based ecosystems, and remote endpoints, security architectures mustwork as flexible and modular systems capable of correlating telemetrics between email, DNS, identity, network, and endpoint layers, without necessarily creating new silos within the architecture. 

Three operational priorities are usually emphasized by organizations moving in this direction: deep integration to keep unified visibility, automation to handle routine containment at machine speed and validation practices, such as breach simulations and posture tests, to ensure that defence systems behave as they should. It has become increasingly common for managed security services to adopt these principles, and this is why more organizations are adopting them.

909Protect, for instance, is an example of a product that provides rapid, coordinated containment across hybrid environments through the use of automated detection coupled with continuous human oversight. In such platforms, the signals from various security vectors are correlated, and they are layered on top of existing tools with behavioural analysis, posture assessment and identity safeguards in order to ensure that no critical alert goes unnoticed while still maintaining established investments. 

In addition to this shift, there is a realignment among the industry as a whole toward systems that are built to be available continuously rather than undergoing episodic interventions. Cybersecurity has gone through countless “next generation” labels, but only those approaches which fundamentally alter the behavior of operations tend to endure, according to veteran analysts in the field. In addressing this underlying failure point, continuous incident response fits perfectly into this trajectory. 

Organizations are rarely breached because they have no data, but rather because they do not act on it quickly enough or cohesively. As analysts argue, the path forward will be determined by the ability to combine automation, analytics, and human expertise into a single adaptive workflow that can be used in an organization's entirety. 

There is no doubt that the organizations that are most likely to be able to withstand emerging threats in the foreseeable future will be those that approach security as a living, constantly changing system that is not only based on the visible, but also on the ability of the organization to detect, contain, and recover in real time from any threats as they arise. 

In the end, the shift toward continuous incident response is a sign that cybersecurity resilience is more than just about speed anymore, but about endurance as well. Investing in unified visibility, disciplined automation, as well as persistent validation will not only ensure that the path from detection to containment is shortened, but that the operations remain stable over the longer term as well.

The advantage will go to those who treat security as an evolving ecosystem—one that is continually refined, coordinated across teams and committed to responding in a continuity similar to the attacks used by adversaries.
Read more »
data security
Chinese Chinese Hackers Cyber Security Data Breaches Data Leak Data protection data security

Knownsec Data Leak Exposes Deep Cyber Links and Global Targeting Operations

 

A recent leak involving Chinese cybersecurity company Knownsec has uncovered more than 12,000 internal documents, offering an unusually detailed picture of how deeply a private firm can be intertwined with state-linked cyber activities. The incident has raised widespread concern among researchers, as the exposed files reportedly include information on internal artificial intelligence tools, sophisticated cyber capabilities, and extensive international targeting efforts. Although the materials were quickly removed after surfacing briefly on GitHub, they have already circulated across the global security community, enabling analysts to examine the scale and structure of the operations. 

The leaked data appears to illustrate connections between Knownsec and several government-aligned entities, giving researchers insight into China’s broader cyber ecosystem. According to those reviewing the documents, the files map out international targets across more than twenty countries and regions, including India, Japan, Vietnam, Indonesia, Nigeria, and the United Kingdom. Of particular concern are spreadsheets that allegedly outline attacks on around 80 foreign organizations, including critical infrastructure providers and major telecommunications companies. These insights suggest activity far more coordinated than previously understood, highlighting the growing sophistication of state-associated cyber programs. 

Among the most significant revelations is the volume of foreign data reportedly linked to prior breaches. Files attributed to the leaks include approximately 95GB of immigration information from India, 3TB of call logs taken from South Korea’s LG U Plus, and nearly 459GB of transportation records from Taiwan. Researchers also identified multiple Remote Access Trojans capable of infiltrating Windows, Linux, macOS, iOS, and Android systems. Android-based malware found in the leaked content reportedly has functionality allowing data extraction from widely used Chinese messaging applications and Telegram, further emphasizing the operational depth of the tools. 

The documents also reference hardware-based hacking devices, including a malicious power bank engineered to clandestinely upload data into a victim’s system once connected. Such devices demonstrate that offensive cyber operations may extend beyond software to include physical infiltration tools designed for discreet, targeted attacks. Security analysts reviewing the information suggest that these capabilities indicate a more expansive and organized program than earlier assessments had captured. 

Beijing has denied awareness of any breach involving Knownsec. A Foreign Ministry spokesperson reiterated that China opposes malicious cyber activities and enforces relevant laws, though the official statement did not directly address the alleged connections between the state and companies involved in intelligence-oriented work. While the government’s response distances itself from the incident, analysts note that the leaked documents will likely renew debates about the role of private firms in national cyber strategies. 

Experts warn that traditional cybersecurity measures—including antivirus software and firewall defenses—are insufficient against the type of advanced tools referenced in the leak. Instead, organizations are encouraged to adopt more comprehensive protection strategies, such as real-time monitoring systems, strict network segmentation, and the responsible integration of AI-driven threat detection. 

The Knownsec incident underscores that as adversaries continue to refine their methods, defensive systems must evolve accordingly to prevent large-scale breaches and safeguard sensitive data.
Read more »
Token Farming Attack
Automated Attacks Cyber Security Dependency Threats malware NPM malware Open Source Risks Registry Abuse Research Software Integrity supply chain security Token Farming Attack

$116 Million at Risk as Balancer Suffers Major Smart Contract Breach

 

Security experts are becoming increasingly concerned about a developing anomaly in the JavaScript ecosystem after researchers discovered a massive cluster of self-replicating npm packages that seem to have no technical function but instead indicate a well-thought-out and financially motivated scheme. Over 43,000 of these packages—roughly 1% of the whole npm repository—were covertly uploaded over a two-year period using at least 11 synchronized accounts, according to recent research by Endor Labs. 

The libraries automatically reproduce themselves when downloaded and executed, filling the ecosystem with nearly identical code, even though they do not behave like traditional malware—showing no indicators of data theft, backdoor deployment, or system compromise. Investigators caution that even while these packages are harmless at the moment, their size and consistent behavior could serve as a channel for harmful updates in the future. 

With many packages containing tea.yaml files connected to TEA cryptocurrency accounts, early indications also point to a potential monetization plan, indicating the operation may be built to farm tokens at scale. The scope and complexity of the program were exposed by more research in the weeks that followed. 

In late October, clusters of unusual npm uploads were first observed by Amazon's security experts using improved detection algorithms and AI-assisted monitoring. By November 7, hundreds of suspicious packages had been found, and by November 12, over 150,000 malicious entries had been linked to a network of coordinated developer accounts. 

What had started out as a few dubious packages swiftly grew into a huge discovery. They were all connected to the tea.xyz token-farming initiative, a decentralized protocol that uses TEA tokens for staking, incentives, and governance to reward open-source contributions. Instead of using ransomware or credential stealers, the attackers flooded the registry with self-replicating packages that were made to automatically create and publish new versions.

As unwary developers downloaded or interacted with the contaminated libraries, the perpetrators silently accumulated token rewards. Each package was connected to blockchain wallets under the attackers' control by embedded tea.yaml files, which made it possible for them to embezzle profits from lawful community activities without drawing attention to themselves. The event, according to security experts, highlights a broader structural flaw in contemporary software development, where the speed and transparency of open-source ecosystems may be readily exploited at scale. 

Amazon's results show how AI-driven automation has made it easy for attackers to send large quantities of garbage or dangerous goods in a short amount of time, according to Manoj Nair, chief innovation officer at Snyk. He emphasized that developers should use behavior-based scanning and automated dependency-health controls to identify low-download libraries, template-reused content, and abrupt spikes in mass publishing before such components enter their build pipelines, as manual review is no longer sufficient. 

In order to stop similar operations before they start, he continued, registry operators must also change by proactively spotting bulk uploads, duplicate code templates, and oddities in metadata. Suzu CEO Michael Bell shared these worries, claiming that the discovery of 150,000 self-replicating, token-farming npm packages shows why attackers frequently have significantly more leverage when they compromise the development supply chain than when they directly target production systems. 

Bell cautioned that companies need to treat build pipelines and dependency chains with the same rigor as production infrastructure because shift-left security is becoming the standard. This includes implementing automated scans, keeping accurate software bills of materials, enforcing lockfiles to pin trusted versions, and verifying package authenticity before installation. He pointed out that once malicious code enters production, defenders are already reacting to a breach rather than stopping an assault. 

The researchers discovered that by incorporating executable scripts and circular dependency chains into package.json files, the campaign took advantage of npm's installation procedures. In actuality, installing one malicious package set off a planned cascade that increased replication and tea.xyz teaRank scores by automatically installing several more.

The operation created significant risks by flooding the registry with unnecessary entries, taxing storage and bandwidth resources, and increasing the possibility of dependency confusion, even if the packages did not include ransomware or credential-stealing payloads. Many of the packages shared cloned code, had tea.yaml files connecting them to attacker-controlled blockchain wallets, and used standard naming conventions. Amazon recommended that companies assess their current npm dependencies, eliminate subpar or non-functional components, and bolster their supply-chain defenses with separated CI/CD environments and SBOM enforcement. 

The event contributes to an increasing number of software supply-chain risks that have led to the release of new guidelines by government organizations, such as CISA, with the goal of enhancing resilience throughout development pipelines. The campaign serves as a sobering reminder that supply-chain integrity can no longer be ignored as the inquiry comes to an end. The scope of this issue demonstrates how readily automation may corrupt open-source ecosystems and take advantage of community trust for commercial gain if left uncontrolled. 

Stronger verification procedures throughout development pipelines, ongoing dependency auditing, and stricter registry administration are all necessary, according to experts. In addition to reducing such risks, investing in clear information, resilient tooling, and cross-industry cooperation will support the long-term viability of the software ecosystems that contemporary businesses rely on.
Read more »
password alternatives
Compromised Passwords Cyber Security Google security Passkey Security passkeys for Google Account password alternatives

Google Password Warning Explained: Why Gmail Users Should Switch to Passkeys Now

 

Despite viral claims that Google is instructing every Gmail user to urgently change their password because of a direct breach, the reality is more nuanced. Google is indeed advising users to reset their credentials, but not due to a compromise of Gmail accounts themselves. Instead, the company is urging people to adopt stronger authentication—including passkeys—because a separate incident involving Salesforce increased the likelihood of sophisticated phishing attempts targeting Gmail users.  

The issue stems from a breach at Salesforce, where attackers linked to the ShinyHunters group (also identified as UNC6040) infiltrated systems and accessed business-related Gmail information such as contact directories, organizational details, and email metadata. Crucially, no Gmail passwords were stolen. However, the nature of the compromised data gives hackers enough context to craft highly convincing phishing and impersonation attempts. 

Google confirmed that this breach has triggered a surge in targeted phishing and vishing campaigns. Attackers are already posing as Google, IT teams, or trusted service vendors to deceive users into sharing login details. Some threat actors are even placing spoofed phone calls from 650–area-code numbers, making the fraud appear to originate from Google headquarters. According to Google’s internal data, phishing and vishing together now account for roughly 37% of all successful account takeovers, highlighting how effective social engineering continues to be for cybercriminals. 

With access to workplace information, attackers can send messages referencing real colleagues, departments, and recent interactions. This level of personal detail makes fraudulent communication significantly harder to recognize. Once users disclose credentials, attackers can easily break into accounts, bypass additional safeguards, and potentially remain undetected until major damage has been done. 

Google’s central message is simple—never share your Gmail password with anyone. Even callers who sound legitimate or claim to represent support teams should not be trusted. Cybersecurity experts emphasize that compromising an email account can grant attackers control over nearly all linked services, since most account recovery systems rely on email-based reset links. 

To reduce risk, Google continues to advocate for passkeys, which replace traditional passwords with device-based biometric authentication. Unlike passwords, passkeys cannot be phished, reused, or guessed, making them substantially more secure. Google also encourages users to enable app-based two-factor authentication instead of SMS codes, which can be intercepted or spoofed. 

Google’s guidance for users focuses on regularly updating passwords, enabling 2FA or passkeys, staying alert to suspicious messages or calls, using the Security Checkup tool, and taking immediate action if unusual account activity appears. This incident demonstrates how vulnerabilities in external partners—in this case, Salesforce—can still put millions of Gmail users at risk, even when Google’s own infrastructure remains protected. With more than 2.5 billion Gmail accounts worldwide, the platform remains a prime target, and ongoing awareness remains the strongest defense.
Read more »
smart contract exploit
Balancer Hack Blockchain Forensics Cross-Chain Attack Crypto Vulnerability Cyber Security Cybersecurity Threats DeFi Security Digital Asset Loss Liquidity Pool Breach smart contract exploit

Balancer Hit by Smart Contract Exploit, $116M Vulnerability Revealed


 

During the past three months, Balancer, the second most popular and high-profile cryptocurrency in the decentralized finance ecosystem has been subjected to a number of high-profile attacks from sweeping cross-chain exploits that have rapidly emerged to be one of the most significant cryptocurrency breaches over the past year. 

The results of early blockchain forensic analysis suggest losses of $100 million to $128 million, and the value of assets that have now been compromised across multiple networks has risen to $116 million, according to initial assessments circulated by independent researchers. In particular, @RoundtableSpace shared data with us on the X platform. In addition to disrupting the Ethereum mainnet as well as several prominent layer-2 networks, the incident also caused liquidity pools on Ethereum's mainnet to be disrupted. 

Almost immediately after the attack, Balancer's team recognized it and began a quick investigation into the attack, working closely with the leading blockchain security firms to contain the damage and determine the scope of the problem. It has sent ripples throughout the DeFi community, raising fresh concerns about the protocol's resilience as attackers continue to exploit complex multi-chain infrastructures to steal data. 

In light of the breach, investigators have since determined that it is a result of a flaw within Balancer's smart contracts, wherein a flaw in initialization allowed an unauthorized manipulator to manipulate the vault. Blockchain analysts have been able to determine that, based on early assessments, the attacker used a malicious contract to bypass safeguards intended to prevent swaps and imbalance across pools and circumvent the exchanges. 

There was a striking speed at which the exploit unfolded: taking advantage of Balancer's deeply composable architecture, in which multiple pools and contracts are often intertwined, the attacker managed to orchestrate multiple tight-knit transactions, starting with a critical Ethereum mainnet call. Through the use of incorrect authorization checks and callback handling, the intruder was able to redirect liquidity and drain assets in a matter of minutes. 

There is still a long way to go until full forensic reports from companies like PeckShield and Nansen are released, but preliminary data suggests that between $110 million and $116 million has been siphoned into a new wallet in Ethereum and other tokens. As the funds appear to be moving through mixers and cross-chain routes to obscurity their origin, their origin appears to be obscured in the new wallet. When investigators dissected Balancer V2's architecture, they discovered a fundamental flaw within the vault and liquidity pools, which led them to find out that the breach occurred as a result of a fundamental breach within the protocol. 

The Composability of Balancer's V2 design made it among the most widely used automated market makers, an attribute that in this instance accentuated the impact of the vulnerability. Upon investigation, it was found that the attacker had implemented a malicious contract that interfered with the pool initialization sequence of the platform, manipulating internal calls that govern the changing of balances and swapping permissions within the platform. 

Specifically, the validation check that is meant to enforce internal safeguards within the manageUserBalance function was flawed, which allowed the intruder to sidestep critical authorization steps and bypass the validation check. It is because of this loophole that the attacker could submit unauthorized parameters and siphon funds directly from the vault without activating the security measures Balancer believed were in place. 

It was an extremely complex operation that unfolded first on Ethereum's mainnet, where it was triggered by a series of precisely executed transactions before it spread to other networks that had been integrated with the V2 vault. According to preliminary assessments, the total losses will amount to between $110 million and $116 million, although some estimates place it at $128 million. 

This is one of the most consequential DeFi incidents in 2025. There were several liquid-staking derivatives and wrapped tokens that were stolen, including WETH, wstETH, OsETH, frxETH, rsETH, and rETH. A total of $70 million was sucked from Ethereum alone, while the Base and Sonic networks accounted for a loss of approximately $7 million, along with additional losses from smaller chains as well. 

In the cryptography records on the blockchain, it can be seen that the attacker quickly routed the proceeds into newly created wallets and then into a privacy mixer after they had been routed through bridges. The investigators stressed, however, that no private keys were compromised; the incident had only a direct impact on Balancer's smart contract logic and not any breach of user credentials, according to their findings. 

As a result of the breach, security experts have advised that users who have access to balancer V2 pools to take immediate precautions. It has been recommended by analysts that pool owners withdraw their funds from any affected pools without delay and revoke smart-contract approvals tied to Balancer addresses through platforms such as Revoke, DeBank, or Etherscan that can be accessed instantly. 

In addition to being advised to closely monitor their wallets using on-chain tools Like Dune Analytics and Etherscan to find out if any irregular activities are occurring, users should also follow the ongoing updates from auditing and security firms including PeckShield and Nansen as this investigation moves forward. As a consequence of the incident, there have already been noticeable effects in the broader DeFi market, such as Balancer's BAL token dropping by 5% to 10%, and the platform's overall value locking experiencing a sharp decline in value as liquidity providers began to withdraw their services in response to mounting uncertainty. 

As noted in industry observers, the episode emphasizes the inherent challenges that come with constructing secure and composable financial primitives. However, they also note that such setbacks often lead to crucial improvements. The Balancer team seems hopeful that they will be able to recover, strengthen their infrastructure, and emphasize the importance of being vigilant and continuously refining their skills in an environment that changes as quickly as the threats that surround it. 

Several experts have commented on the Balancer incident, emphasising that it should serve as a catalyst for enhancing security practices across the DeFi landscape as the investigation continues. Specifically, they say protocols must reevaluate assumptions regarding composability, perform more rigorous pre-deployment testing, and implement continuous audit cycles in order to minimize the likelihood of similar cascading failures occurring in the future. 

It is clear from this episode that users should be careful with the allocation of liquidity, monitor on-chain activity regularly, and exercise vigilant approval management. Although the breach has shaken confidence in the sector, it also represents an opportunity for the sector to grow, innovate responsibly, and strengthen the resilience of decentralized finance despite the disruption.
Read more »
Subscribe to: Comments (Atom)