Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Showing posts with label Cyber Security. Show all posts

GoDaddy Challenges Indian Court Order Over Domain Privacy and Internet Governance Rules

 

A legal battle in India over online fraud could have major implications for privacy and regulation of the internet around the globe, as domain name registrar Go Daddy takes exception to a Delhi High Court ruling that would impose severe restrictions on domain registration, privacy, and trademark protection. 

The ruling comes in response to an uptick in cyber fraud in India. Government figures from last year show that authorities received 2.4 million fraud complaints, resulting in $2.4 billion in losses. In recent years, Amazon, McDonald’s, Microsoft, and other companies have taken legal action against fake websites that misled consumers into giving away personal information or making purchases. Last December, the Delhi High Court ordered removal of more than 1,100 fraudulent websites. 

With that, the court issued additional directives concerning the management of domain names and registrars. These mandates include forbidding registrars from offering privacy protection services by default, disclosing private domain owner information to third parties upon request if that party can demonstrate a “legitimate interest,” and prohibiting domain name registrations that use trademarks of others. Go Daddy argues in a petition to a larger bench of the Delhi High Court that those measures go significantly beyond what’s needed to combat fraud. 

The company believes such restrictions, if applied consistently, would disrupt internet governance worldwide. Go Daddy also objects to the requirement that domain ownership information be disclosed to anybody demonstrating a “legitimate interest.” The company argues in its petition that the language could prove too broad and that domain registrars shouldn’t be tasked with reviewing requests for domain owner information and deciding whether they meet a “legitimate interest” standard. The firm says the language could create “significant legal and operational challenges.” 

The company raises additional concerns about the order’s potential impact on international domain name sales, arguing that because the global internet isn’t bound by one jurisdiction, requiring local registrars to follow the kind of rules set out in the December ruling would, in essence, require them to follow Indian law for all international transactions. 

Go Daddy further argues that the privacy restrictions could run contrary to India’s data protection laws as well as the European Union’s General Data Protection Regulation (GDPR). By mandating that privacy protections be revoked by default for domain owners, India’s data laws and the GDPR would instead be weakened. 

Many internet governance experts believe the ruling places India at risk of negatively impacting citizens, particularly journalists, activists, bloggers, and small businesses, and that it fails to consider tactics bad actors will use to exploit weaknesses in the domain system. Other domain name registrars have raised similar objections to the December ruling, including Namecheap and Hosting Concepts. 

These companies expect that the ruling will spark similar actions in other jurisdictions. Delhi High Court is set to hear the challenges on July 16, with implications for the future of internet governance and fraud prevention measures yet to be determined.

How the Apple Copy-Paste Scam Can Give Attackers Remote Access to Your Mac

 


Apple users are being urged to exercise caution when following troubleshooting instructions found online after cybersecurity experts underlined a growing social engineering tactic that tricks victims into pasting malicious commands into the macOS Terminal application. Rather than exploiting a flaw in macOS itself, the scam relies on convincing users to voluntarily execute commands that can install malware, grant attackers remote access, or expose sensitive information stored on their devices.

Often referred to as a "copy-paste" scam, the technique targets users unfamiliar with Terminal, a command-line interface included with macOS that enables direct interaction with the operating system through text-based commands. While the application is commonly used by developers, system administrators and advanced users to automate tasks or manage system settings, executing unfamiliar commands without understanding their function can introduce significant security risks.

Unlike traditional malware campaigns that exploit software vulnerabilities, this attack depends almost entirely on social engineering. Cybercriminals impersonate trusted sources or create convincing troubleshooting scenarios to persuade victims that running a Terminal command is necessary to fix a technical issue, improve security or restore system performance. Once executed, however, the command may download malicious software, establish remote access, alter security settings or perform other unauthorized actions without the user's awareness.

Depending on the instructions provided, attackers could gain access to documents, photographs, emails, browser data, financial information, saved credentials and contact lists stored on the Mac. Some malicious scripts may also deploy keylogging software capable of recording everything a victim types, including usernames, passwords and other confidential information. In more severe cases, attackers could install ransomware or persistence mechanisms that allow them to retain access to the compromised system even after a restart.

Security researchers note that the scam can begin through multiple channels. Victims may receive phishing emails or text messages containing the malicious command, encounter it in online discussion forums disguised as a legitimate solution, or visit fraudulent websites presenting it as an official troubleshooting step. Attackers have also been observed posing as technical support representatives over the phone, carefully instructing victims to open Terminal and manually type commands under the pretense of resolving an issue.

The rise of generative artificial intelligence has introduced another avenue for abuse. Threat actors may intentionally publish malicious commands across public websites and discussion platforms in an effort to influence AI-powered assistants through a technique known as indirect prompt injection. If an AI system retrieves or references poisoned content while responding to a user's troubleshooting request, it could inadvertently recommend unsafe commands. Although AI tools continue to improve their safeguards, cybersecurity experts advise users to independently verify any command before executing it on their systems.

The attack typically follows a similar pattern. After directing a user to open the Terminal application located within the Utilities folder inside Applications, the attacker provides one or more commands and claims they are required to diagnose, repair or secure the computer. In reality, those commands may download remote administration tools, retrieve additional payloads from external servers, modify system configurations or provide unauthorized access to the attacker's infrastructure.

Because the attack depends on user participation rather than exploiting a software flaw, many victims may not immediately recognize they are being targeted. Individuals unfamiliar with Terminal often have little reason to question commands presented by someone claiming to represent Apple, a software vendor or a technical support service. Similarly, users searching online for solutions may encounter malicious instructions embedded within forum posts or copied across multiple websites, making them appear credible.

To help reduce the effectiveness of these attacks, Apple introduced additional safeguards in recent versions of macOS. When users who do not regularly work in Terminal attempt to paste commands copied from websites, messaging platforms, email applications or chatbots, the operating system may interrupt the action with a warning indicating that the pasted content could contain malware or compromise privacy. Rather than automatically executing the command, the prompt encourages users to reconsider before proceeding.

Apple has also expanded malware detection capabilities within Terminal. If the operating system identifies known malicious content or scripts, it can block execution and notify the user that the pasted command has been prevented because it poses a security risk. These protections are designed to slow down impulsive actions and reduce the likelihood of users unknowingly compromising their own systems.

Cybersecurity professionals emphasize that no security warning should replace careful judgment. Users should never execute Terminal commands they do not fully understand, regardless of whether the instructions originate from an email, text message, online forum, chatbot or unsolicited phone call. Requests accompanied by pressure tactics or claims that immediate action is required should be treated with particular suspicion, as creating a false sense of urgency remains one of the most common techniques used in phishing campaigns.

Experts also caution against assuming that information found on public forums or generated by AI assistants is inherently trustworthy. Malicious instructions can spread rapidly across the internet and may be reproduced by multiple sources, giving them an appearance of legitimacy. Verifying guidance through official Apple documentation or other trusted security resources before executing any command remains one of the most effective ways to avoid becoming a victim of Terminal-based social engineering attacks.

Zimbra Urges Immediate Update to Fix Critical Classic Web Client XSS Vulnerability

 

Zimbra has released a security update to address a critical vulnerability in the Zimbra Classic Web Client that could allow malicious actors to compromise user accounts and execute unauthorized code. The company recommends that customers install the latest update to mitigate the threat. The flaw is a stored cross-site scripting (XSS) vulnerability that could allow an unauthenticated attacker to execute malicious JavaScript in the browser of a user viewing a specially crafted email message. 

The problem exists in the Classic Web Client component of Zimbra Collaboration Suite. While no CVE identifier has been assigned yet, Zimbra warned that successful exploitation of the vulnerability would lead to the exposure of mailbox content and settings, as well as session details. A stored XSS vulnerability occurs when the application stores user-supplied input without proper sanitization and later displays it to other users. 

In this case, an attacker could utilize this flaw to deliver specially crafted email messages that would execute arbitrary JavaScript code in the browser of a user who opens this message in the Zimbra Classic Web Client. The malicious script would then steal the victim’s session and potentially access their mailbox content, modify account settings, or perform other actions. While Zimbra has not reported any confirmed attacks using this vulnerability, several similar XSS flaws in the Zimbra Collaboration Suite have been actively exploited in the past. 

Attackers have targeted the webmail platform multiple times to hijack the accounts of high-profile organizations, including the Brazilian military, with no success, according to Zimbra. Previously exploited flaws affecting the product are CVE-2025-27915, CVE-2023-37580, and CVE-2024-27443. Therefore, organizations must ensure they have applied the latest security update to address the newly discovered vulnerability. 

The Zimbra Collaboration Suite 10.1.19 release notes mention the fix for the stored XSS in the Classic Web Client. Users must always access the updated version of the webmail platform via HTTPS to avoid man-in-the-middle attacks and other threats. Moreover, security analysts recommend monitoring the email traffic for any signs of suspicious activity and reviewing account access logs for unauthorized changes. 

Users must not open any attachments or links in emails that seem suspicious as these may contain malicious scripts that target webmail clients. Organizations must ensure they apply all security updates to their collaboration platforms as they provide critical protection against potential threats. 

In this case, the newly discovered vulnerability is yet another reminder of the importance of timely software updates. Attackers will continue targeting collaboration platforms such as Zimbra webmail to compromise user accounts by exploiting flaws such as XSS.

India Orders Telegram to Crack Down on Pirated Movies and OTT Content, Seeks Compliance Report

 

Ministry of Information and Broadcasting (MIB) has directed the messaging platform Telegram to take down the pirated films, OTT content and other audio-visual material uploaded on it. It also called upon the company to put in place measures to actively detect, report, disable and remove such unauthorized content from its platform instead of waiting for the government to notify it of alleged violations. 

As per the ministry's direction, the company was also asked to provide the details regarding steps taken by it against repeat offenders of copyright infringement on its platform like channels, groups, bots, admins, users and other entities. As per the notice sent by the ministry, the company was also asked to provide the details about its grievance redressal mechanism for film producers, OTT platforms, broadcasters, and law enforcement agencies concerning copyright infringements. 

At the same time, Telegram was also asked to suggest the steps it has taken to prevent, detect and remove the unauthorized copyrighted content. The ministry clarified that with the directions issued, there is an attempt to move to the next level in taking action against copyright infringement on online platforms. It emphasized that apart from responding to individual complaints, the onus is upon the companies to put in place robust systems to proactively prevent and detect such violations. 

The government has already taken down over 3,000 Telegram channels for hosting and distributing pirated content. However, it is felt that the step taken so far by blocking channels one by one is not an effective approach and the companies need to move to the next level. The ministry reminded Telegram that it was obliged to comply with the requirements of the Information Technology Act, 2000 and Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 concerning its responsibility as an intermediary platform. 

It observed that due diligence by the companies so that they are not host to any unlawful activities on their platforms cannot be left to the authorities to identify the channels hosting unlawful content. The ministry drew attention to the fact that violation of copyright laws in India is not only a civil wrong but also a punishable offence under Copyright Act, 1957 and Cinematograph Act, 1952. 

Therefore, continued availability of unauthorized content on Telegram, lack of adequate response as expected by the ministry, and failure to address the issues raised by it may trigger further regulatory actions. The latest initiative by the ministry reflects its commitment to protecting and promoting India's creator economy and the content ecosystem. 

It may be noted that the government has taken several steps to ensure that the rights of filmmakers, broadcasters, OTT platforms, producers, distributors and other content creators are protected against online piracy. By asking the online intermediaries to take more responsibility, the government is encouraging them to adopt better moderation practices in order to prevent the unlawful use of content on their platforms.

Centre Plans New Cybersecurity Norms for Electric Two- and Three-Wheelers to Address Battery Tampering Risks

 

The Central government is preparing to introduce new cybersecurity measures aimed at preventing unauthorised tampering with the batteries of electric two-wheelers and three-wheelers. The proposed regulations are expected to mandate stronger software security standards for electric scooters and e-rickshaws, including fully imported models, which have so far operated with limited cybersecurity oversight.

As part of the initiative, authorities are also considering banning mobile applications that can be used to exploit vulnerabilities in electric vehicles equipped with imported Chinese batteries. 

Officials from the Ministry of Heavy Industries and the Ministry of Electronics and Information Technology have reportedly held discussions on addressing these security concerns.

"The software security vulnerability will be plugged," a senior official told ET, adding downloads of mobile apps that can disturb e2w and e3w are expected to be curbed.

According to officials, the decision to restrict such software stems from the difficulty of individually fixing every electric two-wheeler and three-wheeler already in circulation. The software reportedly takes advantage of weaknesses in battery troubleshooting systems, enabling unauthorised users to interfere with vehicle operations.

Another official said electric rickshaws and low-speed electric scooters were initially permitted to encourage wider adoption of electric mobility. However, this also resulted in a significant influx of low-cost imported electric vehicles from China.

"A call has been taken to ensure more safety and software safeguards in new e2w and e3w sold in the country," the official said, adding roadworthy certificates will be issued only to new vehicle models that are free from such vulnerabilities.

The upcoming regulations are also expected to cover completely imported electric vehicles sold in India, ensuring they comply with the same cybersecurity and software safety requirements as locally manufactured models.

U.S. Security Expert Sentenced for Aiding BlackCat Ransomware Gang

 

A cybersecurity professional has become the third U.S. security expert sentenced to prison for aiding a ransomware gang, marking a significant escalation in insider threat cases involving incident response firms. Angelo Martino, a 41-year-old from Florida, pleaded guilty to providing confidential victim information to the BlackCat/Alphv cybercrime group while ostensibly working to help companies negotiate with attackers. 

Modus operandi 

Martino worked as a ransomware negotiator for DigitalMint, a Chicago-based incident response company hired by victims to minimize damage and negotiate lower payouts. Instead, he fed critical details to BlackCat operators, including insurance policy limits and negotiation strategies, enabling the gang to maximize ransom demands across five separate incidents. Prosecutors revealed that Martino also assisted co-conspirators Kevin Martin and Ryan Goldberg in deploying BlackCat ransomware against U.S. victims for six months in 2023, effectively becoming an affiliate of the criminal group. The trio earned more than $1.2 million from a single victim during this period. 

Martino faces up to 20 years in prison at his sentencing hearing scheduled for July 2026, following guilty pleas from Martin and Goldberg in late 2025, who each received four-year sentences in April 2026. Federal authorities have already seized $10 million worth of assets from Martino as part of the investigation. The Justice Department emphasized that Martino's actions directly assisted ransomware actors and increased the financial burden on victim organizations, undermining trust in the cybersecurity incident response ecosystem. 

Lessons for the Industry 

This case highlights a concerning trend of cybersecurity professionals exploiting their trusted positions to facilitate cybercrime, raising questions about vetting processes and oversight within incident response firms. Organizations are now urged to conduct thorough background checks on security personnel and implement strict compliance measures to prevent similar insider threats. The BlackCat/Alphv gang, once a dominant ransomware outfit, has been linked to numerous high-profile attacks, and this collusion scheme demonstrates how criminal groups increasingly target the defenders themselves. 

As the cybersecurity field grapples with this breach of trust, the Martino case serves as a stark reminder that even those hired to protect can become perpetrators. Companies must strengthen internal controls, monitor negotiator activities, and ensure transparency in ransomware response engagements. With sentencing underway and more cases potentially emerging, the industry faces a critical moment to restore confidence in its ability to defend against evolving ransomware threats without internal compromise.

Injective Labs GitHub Compromise Distributes Malicious npm Package Targeting Crypto Wallet Keys

 

Cybersecurity researchers have detected a software supply chain attack in which threat actors compromised the Injective Labs SDK GitHub repository and utilized it to distribute a backdoored version of the npm package containing cryptocurrency wallet credentials stealing capabilities. Researchers at security company Socket have identified that the attackers distributed the malicious code in the @injectivelabs/sdk-ts version 1.20.21 after compromising the GitHub account of one of the trusted maintainers. 

The compromised package was published to the npm registry on July 8, 2026, and subsequently deprecated. Nevertheless, the distribution channel for the malicious artifacts remained available on GitHub at the time of publication. The attackers distributed the backdoored SDK to 17 other @injectivelabs packages, including the wallet, utility, networking, and crypto modules. Since the packages include various apps as dependencies, developers who did not directly install the SDK might also be affected. 

Unlike traditional supply chain malware that typically persists in the compromised software at installation time, the detected backdoor was not activated when the developers installed the package. Rather, the malicious code was designed to exfiltrate the cryptographic assets when the developers used the SDK’s wallet generation feature. 

Thus, the threat actors could hide the malicious payload’s presence by avoiding the use of suspicious scripts typically associated with malware. The detected malware consisted of modified cryptographic functions that replaced the legitimate implementation with the backdoor, which the attackers masked as a performance telemetry component. The additional function exfiltrated the cryptographic assets, including the mnemonic seed phrase and private key generation details, required to recreate the cryptocurrency wallet. 

Researchers noted that the malware persisted in the compromised repositories by sending the collected data to the remote server in aggregated fashion to avoid suspicion by grouping multiple exfiltration requests into one encrypted HTTPS session. The security analysts at OX Security stated that the detected threat was capable of intercepting the master recovery phrase used to seed cryptocurrency wallets. Since the mnemonic seed phrase gives the adversary full access to the wallet funds, threat actors could reproduce the cryptographic assets to gain unauthorized access to the blockchain assets. 

The malware’s distribution channel was compromised using the trusted publishing infrastructure and OpenID Connect (OIDC) publishing pipeline. The detected threat utilized the legitimate account of one of the maintainers, which implies that the attackers did not have to use supply chain malware or impersonate the project on a third-party registry. The developers who installed the affected package should switch to the latest version, 1.20.23, which has been released. 

The security analysts advise the developers to consider all private keys and mnemonic phrases generated with the compromised version of the code as compromised and take the appropriate actions to rotate the cryptographic assets. Moreover, the developers should review their project dependencies to ensure that they do not use the affected versions of the packages indirectly. 

The incident demonstrated how the threat actors could target the software supply chain to compromise the cryptocurrency ecosystem and gain unauthorized access to the crypto assets by compromising the open-source developer infrastructure.

Injective SDK Supply Chain Attack Exposed Developers to Cryptocurrency Wallet Theft


 

InjectiveLabs/SDK-TS, a widely used package, was briefly published on Node Package Manager (npm) as a malicious version after attackers gained access to a legitimate contributor's GitHub account, exposing developers to the theft of cryptocurrency wallet credentials. Several security researchers from Socket, Ox Security, and StepSecurity identified the supply chain attack as targeting Injective Labs' TypeScript/JavaScript SDK, which is used to develop applications based on Injective's blockchain.

The SDK is widely adopted by developers who create cryptocurrency wallets, decentralized finance (DeFi) applications, decentralized exchanges, trading bots, and payment platforms, with approximately 50,000 downloads per week on NPM. 

A significant security issue is the responsibility of the SDK when it comes to creating and importing cryptocurrency wallets, as it occupies a critical position in the development process. Developers and end users alike are particularly vulnerable to any compromise of the SDK because the wallet creation functions are crucial to the handling of users' mnemonic recovery phrases and private keys. 

Researchers have determined that hackers gained access to a legitimate contributor's GitHub account on June 8 and introduced malicious code, which was later released as version 1.20.21 for the @injectivelabs/sdk-ts package. Additionally, 17 additional Injective-related packages were referenced by the compromised release, resulting in a significant impact on downstream projects. According to security researchers, attackers compromised a legitimate maintainer's account after exploiting the trust-worthy GitHub publishing workflow of the project. 

As opposed to stealing an NPM publishing token or creating a fake package, the malicious version was distributed through the repository's normal release process, making the compromise appear genuine. Package maintainers detected the malicious activity within minutes, reverting the unauthorized changes and releasing a version that is free of malicious activity, 1.20.23. 

Nevertheless, systems that downloaded or updated the compromised package during the brief exposure window may still have been affected. In contrast to conventional malware that is executed during installation, the injected code is activated when developers create or import cryptocurrency wallets using SDK functions. 

When this was achieved, the malware captured private wallet keys and mnemonic seed sentences, encoded the information, and sent it via HTTP POST request to what appeared to be an official Injective Labs infrastructure endpoint in order to blend into normal network traffic. As a method of minimizing detection, the malware disguised its outbound communication as legitimate injective network traffic in order to prevent detection. 

By capturing multiple wallet secrets temporarily, encoding them, and transmitting them as a single request, the malicious activity was able to blend in with blockchain-related communications, avoiding detection. The malware, according to StepSecurity researchers, collected wallet secrets for approximately two seconds before bundling them into a single request to minimize suspicion while maximizing the amount of data stolen. 

In a recent report, Socket reported that 310 malicious packages had been downloaded before they were deprecated, but there is reportedly still availability of the associated malicious GitHub release artifacts. As a consequence of Ox Security's warning, the compromised SDK is dependent on 87 direct NPM packages, accounting for more than 112,000 cumulative downloads, illustrating the risk to a larger supply chain.

Researchers noted that even though the malicious payload was contained within @injectivelabs/sdk-ts, the compromised release affected 17 additional injective packages that depended on the infected SDK version. This could have resulted in developers installing the backdoored package unknowingly through normal project dependencies, thereby significantly expanding the attack's impact. 

It is advised that developers who suspect they may have installed the affected version transfer cryptocurrency assets immediately into new wallets, replace compromised private keys and seed phrases, and rotate any sensitive credentials stored within their development environment immediately. The incident underlines the growing threat posed by software supply chain attacks, particularly within the cryptocurrency ecosystem where a compromised development dependency may result in a significant financial loss to both developers and end users.

Due to the increasing sophistication of software supply chain attacks, organizations and developers must strengthen dependency verification, monitor package integrity, and respond quickly to compromised components so that credential theft and downstream compromise can be reduced.