⚡ Weekly Recap: Scattered Spider Arrests, Car Exploits, macOS Malware, Fortinet RCE and More

In cybersecurity, precision matters—and there’s little room for error. A small mistake, missed setting, or quiet misconfiguration can quickly lead to much bigger problems. The signs we’re seeing this week highlight deeper issues behind what might look like routine incidents: outdated tools, slow response to risks, and the ongoing gap between compliance and real security.

For anyone responsible for protecting systems, the key isn’t just reacting to alerts—it’s recognizing the larger patterns and hidden weak spots they reveal.

Here’s a breakdown of what’s unfolding across the cybersecurity world this week.

⚡ Threat of the Week

NCA Arrests for Alleged Scattered Spider Members — The U.K. National Crime Agency (NCA) announced that four people have been arrested in connection with cyber attacks targeting major retailers Marks & Spencer, Co-op, and Harrods. The arrested individuals include two men aged 19, a third aged 17, and a 20-year-old woman. They were apprehended in the West Midlands and London on suspicion of Computer Misuse Act offenses, blackmail, money laundering, and participating in the activities of an organized crime group. They are believed to be associated with the notorious cybercrime group known as Scattered Spider, an offshoot of a loose-knit collective called The Com, which is responsible for a vast catalog of crimes, including social engineering, phishing, SIM swapping, extortion, sextortion, swatting, kidnapping, and murder.

• PerfektBlue Bluetooth Flaws Expose Millions of Vehicles to Remote Attacks — Cybersecurity researchers have discovered a set of four security flaws in OpenSynergy’s BlueSDK Bluetooth stack that, if successfully exploited, could allow remote code execution on millions of transport vehicles from Mercedes-Benz, Volkswagen, and Skoda. “PerfektBlue exploitation attack is a set of critical memory corruption and logical vulnerabilities found in OpenSynergy BlueSDK Bluetooth stack that can be chained together to obtain Remote Code Execution (RCE),” PCA Cyber Security said. Volkswagen said the identified issues exclusively concern Bluetooth and that neither is vehicle safety nor integrity affected. It also noted that exploitation of the vulnerabilities is only possible when several conditions are met simultaneously.
• North Korean Hacker Behind Fraudulent IT Worker Scheme Sanctioned — The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) on Tuesday sanctioned a member of a North Korean hacking group called Andariel for their role in the infamous remote information technology (IT) worker scheme. Song Kum Hyok, 38, is alleged to have enabled the fraudulent operation by using foreign-hired IT workers to seek remote employment with U.S. companies and planning to split income with them. The sanctions mark the first time a threat actor linked to Andariel, a sub-cluster within the Lazarus Group, has been tied to the IT worker scheme. “While the Treasury’s announcement marks a formal public association of the Andariel (APT45) hacking group with North Korea’s remote IT worker operation, the connection reflects a much broader and long-running pattern,” Michael “Barni” Barnhart, Principal i3 Insider Risk Investigator at DTEX, told The Hacker News.
• Chinese Hacker Arrested for Silk Typhoon Attacks — A Chinese national has been arrested in Milan, Italy, for his alleged links to a state-sponsored hacking group known as Silk Typhoon and for carrying out cyber attacks against American organizations and government agencies. Xu Zewei, 33, has been accused of being involved in the U.S. computer intrusions between February 2020 and June 2021, including a mass attack spree that leveraged then-zero-day flaws in Microsoft Exchange Server, a cluster of activity the Windows maker designed as Hafnium. Xu, alongside co-defendant and Chinese national Zhang Yu, are believed to have undertaken the attacks based on directions issued by the Ministry of State Security’s (MSS) Shanghai State Security Bureau (SSSB).
• Threat Weaponize Leaked Version of Shellter to Distribute Stealers — Hackers are exploiting a popular red teaming tool called Shellter to distribute stealer malware and remote access trojans. The campaigns are believed to have started in April 2025, around the same time a company that procured a licensed version of the software leaked a copy on cybercrime forums. “Although the Shellter Project is a victim in this case through intellectual property loss and future development time, other participants in the security space must now contend with real threats wielding more capable tools,” Elastic Security Labs said.
• Fortinet Patches Critical SQL Injection Flaw — Fortinet has released fixes for a critical security flaw impacting FortiWeb that could enable an unauthenticated attacker to run arbitrary database commands on susceptible instances. Tracked as CVE-2025-25257, the vulnerability carries a CVSS score of 9.6 out of a maximum of 10.0. According to watchTowr Labs, the problem is rooted in the fact that a Bearer token Authorization header in a specially crafted HTTP request is passed directly to an SQL database query without adequate sanitization to make sure that it’s not harmful and does not include any malicious code. The disclosure comes as Sonar detailed multiple vulnerabilities in Fortinet’s FortiClient (CVE-2025-25251, CVE-2025-31365, CVE-2025-22855, CVE-2025-22859, and CVE-2025-31366) that, when chained together, grants an attacker complete organizational control with minimal user interaction. CVE-2025-22859 “enables an authenticated attacker to upload a stored XSS payload to a Linux-based EMS server,” security researcher Yaniv Nizry said. “Exploiting this vulnerability, an attacker can manipulate an EMS user into clicking a malicious link, forcing all registered endpoints to switch connection to a malicious EMS server without any interaction from the clients. This makes them susceptible to arbitrary code execution.”

‎️‍🔥 Trending CVEs

Hackers are quick to jump on newly discovered software flaws – sometimes within hours. Whether it’s a missed update or a hidden bug, even one unpatched CVE can open the door to serious damage. Below are this week’s high-risk vulnerabilities making waves. Review the list, patch fast, and stay a step ahead.

This week’s list includes — CVE-2025-47227, CVE-2025-47228 (ScriptCase), CVE-2025-24269, CVE-2025-24235 (SMBClient), CVE-2025-30012, CVE-2025-42963, CVE-2025-42964, CVE-2025-42966, and CVE-2025-42980 (SAP), CVE-2025-52488 (DNN), CVE-2025-44954, CVE-2025-44955, CVE-2025-44957, CVE-2025-44958, CVE-2025-44960, CVE-2025-44961, CVE-2025-44962, CVE-2025-44963, CVE-2025-6243 (Ruckus Wireless), CVE-2025-52434, CVE-2025-52520, CVE-2025-53506 (Apache Tomcat), CVE-2025-6948 (GitLab CE/EE), CVE-2025-0141 (Palo Alto Networks GlobalProtect App), CVE-2025-6691 (SureForms plugin), CVE-2025-7206 (D-Link DIR-825), CVE-2025-32353, CVE-2025-32874 (Kaseya RapidFire Tools Network Detective), CVE-2025-7026, CVE-2025-7027, CVE-2025-7028, CVE-2025-7029 (Gigabyte UEFI), CVE-2025-1727 (End-of-Train and Head-of-Train devices), and a critical double free vulnerability in the Linux kernel’s pipapo set module.

📰 Around the Cyber World

• Atomic Stealer Gets a Backdoor Feature — The macOS information stealer known as Atomic Stealer (aka AMOS) has been updated with an embedded backdoor to obtain persistent access to compromised systems. The new component allows executing arbitrary remote commands, gaining full user-level access, and even surviving reboots, allowing attackers to maintain control over infected hosts indefinitely. According to Moonlock Lab, campaigns distributing Atomic have recently shifted from broad distribution channels like cracked software sites to targeted phishing aimed at cryptocurrency owners and using staged job interview invitations to infect freelancers. The United States, France, Italy, the United Kingdom, and Canada are among the most affected by the stealer malware. It is only the second known case of backdoor deployment at a global scale targeting macOS users, after North Korea. “The upgrade to AMOS represents a significant escalation in both capability and intent, whether the changes were made by the original malware authors or by someone else modifying the code,” the company said. “It’s clear that the Russia-affiliated authors of Atomic macOS Stealer are following in the footsteps of North Korean attack groups.”
• Call of Duty Makers Takes Game Offline After Reports of RCE Exploit — The makers of Call of Duty: World War 2 announced that the PC version of the game has been taken offline following “reports of an issue.” The issue appears to be a security problem, specifically a remote code execution (RCE) vulnerability in the popular video game that could allow an attacker to take over others’ PCs during live multi-player matches. The RCE exploit has been found to be abused to open command prompts on victim PCs, send mocking messages via Notepad, and forcibly shut down players’ computers, among others. Activision has not officially commented on the issue, but it’s said to be working to remediate the bug.
• BaitTrap Uses Over 17K Sites to Push Scams — A network of more than 17,000 websites is mimicking trusted brands, including CNN, BBC and CNBC, to redirect visitors to online scams. The BaitTrap network uses Google and Meta ads, social media posts, and YouTube videos to lure victims. The bogus sites typically collect personal information and attempt to hijack online crypto accounts. They target audiences in more than 50 countries all over the globe. The sites publish fake stories featuring prominent public figures, including national leaders and central bank governors, and falsely link those figures to “fabricated investment schemes in order to build trust and get engagement from victims.”
• Dutch Police Arrest 5 Phishing Gang Members — Dutch police have arrested five members of a phishing gang that operated out of the city of Lelystad. Four of the group’s members are teenagers aged 14 to 17. Authorities said the suspects used QR codes sent via email to collect login credentials for local banks. In a related law enforcement development, Nepalese authorities have apprehended 52 people for allegedly running online dating and crypto investment scams. The group ran a call center and a dating app called METOO to lure young Nepali women and facilitate fraudulent online transactions. Six of the detained suspects are Chinese and are believed to have managed the operation.
• German Court Orders Meta to Pay €5K Over GDPR Violation — A German court has ruled that Meta must pay €5,000 ($5,900) to a German Facebook user who sued the platform for embedding its Pixel tracking technology in third-party websites. The ruling could open the door to large fines down the road over data privacy violations relating to similar tracking tools. The Regional Court of Leipzig in Germany ruled that Meta tracking pixels and software development kits embedded in countless websites and apps collect users’ data without their consent and violate the continent’s General Data Protection Regulation (GDPR). “Every user is individually identifiable to Meta at all times as soon as they visit the third-party websites or use an app, even if they have not logged in via the Instagram and Facebook account,” the court said.
• LFI Flaw in Microsoft Export to PDF Feature — A Local File Inclusion (LFI) vulnerability has been disclosed in Microsoft 365’s Export to PDF functionality, potentially allowing attackers to access sensitive internal data when converting HTML documents to PDF. The vulnerability, reported by security researcher Gianluca Baldi, was subsequently patched by Microsoft, earning them a $3,000 bounty reward. “It turned out there was an undocumented behavior that allowed converting from HTML to PDF files,” Baldi said. “By embedding specific tags (<embed>, <object>, and <iframe>) into the HTML content, an attacker could force the inclusion of local files from the server’s file system into the resulting PDF—even files located outside the server’s root directory.”
• Unpatched Flaws in Ruckus Wireless — Multiple unpatched security flaws have been disclosed (CVE-2025-44954, CVE-2025-44955, CVE-2025-44957, CVE-2025-44958, CVE-2025-44960, CVE-2025-44961, CVE-2025-44962, CVE-2025-44963, and CVE-2025-6243) in Ruckus Wireless management products Virtual SmartZone (vSZ) and Network Director (RND) could be exploited by an attacker to leak sensitive information and compromise the wireless environment. The flaws include authentication bypass, hard-coded secrets, arbitrary file read by authenticated users, and unauthenticated remote code execution. “An attacker with network access to Ruckus Wireless vSZ can exploit CVE-2025-44954 to gain full administrator access that will lead to total compromise of the vSZ wireless management environment,” CERT/CC said. “Furthermore, multiple vulnerabilities can be chained to create chained attacks that can allow the attacker to combine attacks to bypass any security controls that prevent only specific attacks.” Noam Moshe of Claroty Team82 has been credited with discovering and reporting the issues. In the absence of patches, users are advised to limit access to trusted users and their authenticated clients to manage the infrastructure via a secure protocol like HTTPS or SSH.
• Security Flaws in Gigabyte UEFI — Multiple security flaws have been disclosed in UEFI modules present in Gigabyte firmware (CVE-2025-7026, CVE-2025-7027, CVE-2025-7028, and CVE-2025-7029) that an attacker could exploit to elevate privileges and execute arbitrary code in the System Management Mode (SMM) environment of a UEFI-supported processor. “An attacker with local or remote administrative privileges may exploit these vulnerabilities to execute arbitrary code in System Management Mode (Ring -2), bypassing OS-level protections,” CERT/CC said. “These vulnerabilities can be triggered via SMI handlers from within the operating system, or in certain cases, during early boot phases, sleep states, or recovery modes – before the OS fully loads.” Successful exploitation of the vulnerabilities can disable UEFI security mechanisms such as Secure Boot and Intel BootGuard, facilitating stealthy firmware implants and persistent control over the system. The flaws were discovered and reported by Binarly.
• Android did not have a patch for the first time in July 2025 in a Decade — Google announced that no security patches have been released for Android and Pixel devices for the month of July 2025, ending a decade-long streak of security updates. This is the first month no security updates have been released since Google started rolling out monthly Android fixes in August 2015.
• Indonesia Extradites Russian National for Selling Personal Data on Telegram — Indonesia has extradited a Russian citizen named Alexander Zverev for allegedly running a Telegram channel that sold personal data obtained from law enforcement databases. Russian authorities claimed that Zverev operated an unnamed criminal network between 2018 and 2021 that profited from selling sensitive personal information sourced from databases belonging to Russia’s Interior Ministry (MVD), Federal Security Service (FSB), and mobile phone operators. Subscribers of the Telegram channel could allegedly purchase details about Russian citizens, including private information. Authorities have not disclosed the name of the channel or whether it is currently operational.
• Law Enforcement Catches Up on Ransomware Actors — The Brussels criminal court sentenced the Russian developer of Crylock ransomware to seven years in prison for masterminding the malware’s deployment on thousands of computers. His former co-conspirator, a female involved in advertising Crylock and negotiating with the victims, was sentenced to five years. More than €60 million (~$70 million) in cryptocurrency representing illegal proceeds from the ransomware operation have been seized by law enforcement. The development came as French authorities arrested a 26-year-old Russian basketball player for his alleged role in ransomware attacks. Daniil Kasatkin was arrested on June 21, 2025, at the Charles de Gaulle Airport in Paris at the request of U.S. authorities. It’s alleged that Kasatkin helped an unnamed ransomware gang negotiate ransoms. Kasatkin’s lawyer denied the charges and claimed his client had no technical skills. “He bought a second-hand computer. He did absolutely nothing. He’s shocked,” his lawyer, Frédéric Bélot, told AFP. “He’s useless with computers and can’t even install an application. He didn’t touch anything on the computer: it was either hacked, or the hacker sold it to him to act under the cover of another person.” He’s currently being held pending extradition to the U.S. The ransomware group Kasatkin was allegedly involved with has not been named, but is said to have attacked roughly 900 companies. The U.S. Federal Bureau of Investigation (FBI) said recently that it’s aware of 900 organizations hit by the Play ransomware group.
• RansomedVC Returns After Hiatus; Leaks Medusa Data — The RansomedVC ransomware group has returned after a two-year absence and leaked the internal chat transcripts of the Medusa ransomware group from December 11, 2022, to March 2023. RansomedVC claimed Medusa’s admin “seems completely absent and unresponsive to the needs of his members” and indicated that they may either be trying an exit scam or might have been compromised by law enforcement. “From the transcript and analyzing previous events, the group is mainly focused on targeting Fortinet Access as an SQLi Vulnerability was exploited by the group in 2024 and the current leaked chat that mentions ‘Forti’ also underlines its importance which dates back to 2023,” security researcher Rakesh Krishnan said. The development coincides with the emergence of new players, including BERT. Another ransomware group, SafePay, which emerged last year has since evolved to become “one of the most active and dangerous actors,” mainly targeting managed service providers (MSPs) and small-to-midsize businesses (SMBs). “The group uses classic but effective techniques: RDP- and VPN-based intrusion, credential theft, privilege escalation and living-off-the-land binaries to quietly move through victim networks, exfiltrate sensitive data and then encrypt files,” Acronis said. Ransomware assaults on businesses around the world have increased by 213% in the first quarter of 2025, with 2,314 victims reported over 74 distinct data breach sites, compared to just 1,086 in the first quarter of 2024.
• Disgruntled IT Worker Jailed for Cyber Attack — Mohammed Umar Taj, 31, of Hyrst Garth, Batley, U.K., was sentenced to seven months and 14 days in prison for unlawfully accessing his former employer’s premises, altering login credentials, and changing access credentials and multi-factor authentication configuration to disrupt the company’s operations. He was suspended from work in July 2022.
• Hacker Behind GMX Exchange Returns Assets — An unknown hacker behind the $42 million theft from decentralized exchange GMX has returned the stolen assets in return for a $5 million bug bounty. The development happened after GMX promised not to pursue charges if the hacker returned the funds. In a post-mortem report, the company said it has addressed the root cause in a subsequent update. “Based on a review of the incident by contributors, auditors and security researchers, the root cause of the exploit is a reentrancy attack,” it said. “By utilizing this reentrancy and bypassing the average short price calculations, the attacker was able to open positions and manipulate the average short price for BTC downwards from the initial value of $109,505.77 to $1,913.70.”
• Flaws in Thermomix TM5 Appliance — A security analysis of Thermomix TM5’s has uncovered several weaknesses that could render the kitchen appliance susceptible to firmware downgrade attacks (limited to versions prior to 2.14. Version 2.14) and secure boot bypass, allowing an attacker to gain persistence. “This vulnerability can be chained with the firmware downgrade vulnerability to gain arbitrary code execution and apply a controlled firmware update file without messing up with the NAND flash,” Synacktiv said. “By exploiting these flaws, one can alter the firmware version block to bypass anti-downgrade protections, downgrade the firmware, and potentially execute arbitrary code.”
• API Client Security Risks Detailed — An analysis of API clients like Postman, Insomnia, Bruno, and Hoppscotch has uncovered potential vulnerabilities within their JavaScript sandboxing implementations that could be exploited to achieve code execution. “Running untrusted code without any isolation is, of course, a bad idea, but it is also problematic to use seemingly working solutions such as Node.js’s built-in vm module or the third-party vm2 package,” Sonar researchers Oskar Zeino-Mahmalat and Paul Gerste said. “These are known to have bypasses that let malicious code escape the sandbox and get access to system resources.”
• Ubuntu Turns Off Intel GPU Security Mitigations — Ubuntu has disabled a security feature that protected Intel GPUs against Spectre side-channel attacks. Canonical said it now uses kernel-level protections, making it no longer necessary to have those safeguards. Ubuntu developers can expect the operating system to see a 20% in improvement in performance following the update. “After discussion between Intel and Canonical’s security teams, we are in agreement that Spectre no longer needs to be mitigated for the GPU at the Compute Runtime level,” Ubuntu maintainers said. “At this point, Spectre has been mitigated in the kernel, and a clear warning from the Compute Runtime build serves as a notification for those running modified kernels without those patches. For these reasons, we feel that Spectre mitigations in Compute Runtime no longer offer enough security impact to justify the current performance tradeoff.”
• Botnet Engages in Web Scraping — A new botnet comprising more than 3,600 unique IP addresses has been observed involved in web scraping activity at least since April 19, 2025. The majority of the botnet’s infected hosts are located in Taiwan, Japan, Bulgaria, and France, GreyNoise said, with targeted systems predominantly located in the United States and United Kingdom. “The dominance of Taiwanese IP space could suggest: A common technology or service deployed widely in Taiwan has been compromised, or that local exposure to a shared vulnerability is driving the clustering,” the threat intelligence firm said.
• Czechia Becomes the Latest Country to Issue Warning About DeepSeek — Czechia’s cybersecurity agency, the National Cyber and Information Security Agency (NÚKIB), issued a formal warning detailing the national security risks posed by the use of software provided by Chinese artificial intelligence company DeepSeek. “The primary security concerns stem from insufficient protection of data transmission and handling, from the collection of data types which, in greater volume, may lead to user deanonymization, and lastly, from the legal and political environment of the People’s Republic of China to which the company DeepSeek is fully subject,” NÚKIB said. To that end, the government has banned the use of DeepSeek on state-owned devices, urging the public to be mindful of the information shared with the platform. However, NÚKIB noted that the decision does not apply to open-source large language models (LLMs) developed by the company DeepSeek, provided that their source code is made available for review and can be deployed locally without any contact with servers associated with DeepSeek or its related entities. Several other nations, including Canada, Germany, Italy, the Netherlands, South Korea, and Taiwan, have issued similar warnings.
• TikTok Comes Under E.U. Radar Again — Ireland’s Data Protection Commission (DPC) said it’s opening a probe into TikTok over the transfer of user data in the European Union to servers located in China. “The purpose of the inquiry is to determine whether TikTok has complied with its relevant obligations under the GDPR in the context of the transfers now at issue, including the lawfulness of the transfers [under GDPR],” the DPC said. The development comes a little more than two months after the DPC fined TikTok €530 million ($620 million) for infringing data protection regulations in the region by transferring European users’ data to China and for allowing TikTok’s China-based staff access European user data. TikTok, which is owned by China’s ByteDance, has been the subject of intense scrutiny on both sides of the Atlantic over how it handles personal user information amid concerns that it poses a national security risk. As per stringent data protection laws in the region, European user data can only be transferred outside of the bloc if there are safeguards in place to ensure the same level of protection. TikTok is also facing the heat in the United Kingdom after the First-tier Tribunal ruled that the Information Commissioner’s Office (ICO), the British data regulator, has the power to issue a monetary penalty notice (MPN) to TikTok. The ICO fined TikTok £12.7 million in 2023, but the company argued that “its processing was for artistic purposes, so the ‘special purposes’ provisions applied.”
• Google Details Advanced Protection in Android — Back in May 2025, Google launched Advanced Protection, a security feature that “ensures all of Android’s highest security features are enabled and are seamlessly working together to safeguard you against online attacks, harmful apps, and data risks.” Similar to Lockdown Mode in Apple iOS, iPadOS, and macOS devices, Advanced Protection aims to provide improved guardrails for journalists and other high-risk targets. In Google Chrome, this includes always using secure connections, full site isolation on mobile devices with 4GB+ RAM to keep malicious sites away from legitimate sites, and disabling JavaScript optimizations.
• SatanLock Announces Abrupt Shutdown — SatanLock, a newer ransomware group on the threat landscape, has announced that it will be shutting down. The exact reasons behind the sudden move is unclear. The group first emerged in early April, and published 67 victims within a span of a month. However, Check Point found that 65% of these victims had already been listed by other ransomware groups.
• Russia Rejects Law to Legalize White-Hat Hacking — Russia’s State Duma has rejected legislation that would have legalized ethical hacking, citing national security concerns. Politicians expressed worries that finding vulnerabilities found in software made by companies headquartered in hostile countries would require sharing them, which, in turn, could lead to those nations abusing the defects for strategic gain, local media reported.
• GitHub Repos Used to Distribute Malware as Free VPN — Threat actors have been observed using GitHub as a mechanism for staging stealer malware like Lumma by disguising it as ‘Free VPN for PC and Minecraft Skin Changer. “The analysis of the ‘Free-VPN-For-PC’ sample revealed that, behind its seemingly legitimate facade, it functions as a sophisticated malware dropper designed to implant the Lumma Stealer,” CYFIRMA said. “Disguised as a helpful tool, the dropper uses multiple layers of obfuscation, in-memory execution, and process injection to evade detection. The same malware was also repackaged under the name ‘Minecraft Skin,’ indicating a broader social engineering tactic targeting different user interests.”
• NFC-Enabled Fraud Targets Philippines’ Financial Sector — Chinese mobile malware syndicates that rely on NFC relay attacks have now spread to the Philippines, Resecurity revealed. “Major underground shops managed by Chinese cybercriminals list the Philippines as one of the most impacted areas, based on the volume of compromised credit cards (CCs),” the company said. Some of the other top regions targeted by Chinese cybercriminals include Australia, Taiwan, Malaysia, New Zealand, Singapore, Thailand, Hong Kong, Korea, and Indonesia. These groups, active on Telegram, enable fraudsters to acquire compromised cards and also check whether they are valid or not, using micro-charges performed via fraudulent merchants set up by Chinese cybercriminals. Attackers can then use tools like Z-NFC, X-NFC, SuperCard X, Track2NFC to clone stolen card data and perform unauthorized transactions using NFC-enabled devices.
• GitPhish Tool to Automate GitHub Device Code Phishing — Cybersecurity researchers have demonstrated a novel initial access vector that leverages the OAuth 2.0 Device Authorization Grant flow to compromise an organization’s GitHub repositories and software supply chain. Called Device Code Phishing, the technique employs social engineering ploys to trick targets into entering an eight-digit device code by clicking on an attacker-provided link, potentially leading to complete compromise of organizational GitHub repositories and software supply chains. It’s worth noting that device code phishing has been utilized by suspected Russian threat actors to gain access to Microsoft accounts. “We designed GitPhish explicitly for security teams looking to conduct assessments and build detection capabilities around Device Code Phishing in GitHub,” Praetorian said. “Red teamers can simulate realistic attack scenarios to test organizational resilience, while detection engineers can validate their ability to identify suspicious OAuth flows, unusual GitHub authentication patterns, and potential social engineering attempts.”
• Malicious Browser Extensions Galore — A set of 18 malicious extensions with 2.3 million downloads in Google’s Chrome Web Store and Microsoft Edge Addons have been found to incorporate features to track users’ site visits, steal browser activity, and redirect to potentially unsafe sites. These add-ons pose as productivity and entertainment tools across diverse categories, including color pickers, emoji keyboards, weather forecasts, video speed controllers, VPN proxies for Discord and TikTok, dark themes, volume boosters and YouTube unblockers. While they offer the advertised functionality, they provide the perfect cover to conceal their browser surveillance and hijacking capabilities. The activity has been codenamed RedDirection by Koi Security. What makes the campaign concerning is that the extensions started off as benign tools, with the malicious code introduced at a later time via updates, in some cases after years. Last month, LayerX revealed that it had identified a network of malicious “sleeper agent” extensions that are likely being set up as a stepping stone for future activity. These extensions were identified as being installed nearly 1.5 million times. One of the extensions that’s common to both these clusters is “Volume Max — Ultimate Sound Booster” (extension ID: mgbhdehiapbjamfgekfpebmhmnmcmemg). The disclosure coincides with another campaign uncovered by Secure Annex dubbed Mellow Drama, which has transformed hundreds of extensions incorporating a Mellowtel library into a distributed web scraping network. The extensions have been collectively installed nearly 1 million times. “We discovered a new monetization library developed by Mellowtel that pays extension developers in exchange for the ‘unused bandwidth’ of users who have an extension installed,” John Tuckner said. The library has been traced back to an individual named Arslan Ali, who is also the founder of a company called Olostep that claims to offer the “World’s Most Reliable and Cost-effective Web Scraping API.” It’s believed that scraping requests from Olostep are distributed to any of the active extensions that are running the Mellowtel library. Mellowtel has since responded, stating it does not collect or sell users’ personal data. “Instead of collecting users’ data, tracking them across the web, and showing them ads non-stop, we are building a monetization engine for developers based on bandwidth/resource sharing,” Ali said.

🎥 Cybersecurity Webinars

• Stop ‘Pip Install and Pray’: How to Secure Your Python Supply Chain in 2025 – Repojacking, typosquatting, and poisoned containers are turning trusted tools into attack vectors. Whether you’re managing infrastructure or writing code, securing your Python environment is no longer optional. Learn how to take control before attackers do.
• From Login Fatigue to AI Fatigue: Securing Identity in 2025 – AI is streamlining logins—but it’s also raising alarm bells. Customers are growing wary of how their data is used, and trust is becoming harder to earn. This webinar reveals how leading brands are rebuilding digital trust while staying secure and user-friendly.
• From Copilots to Attack Bots: Securing the AI Identity Layer – As AI copilots and agents go mainstream, attackers are using the same tools to bypass logins, impersonate users, and exploit APIs. In this webinar, Okta reveals how to outpace AI threats by making identity your first—and last—line of defense.

🔧 Cybersecurity Tools

• BitChat – It is a tool that lets you chat without the internet, servers, or even phone numbers—just Bluetooth. It builds a local mesh network between nearby devices, enabling fully offline communication. Public group chats are secure and ready to use. Private messages and channels are still under development and haven’t been externally reviewed, so they’re not recommended for sensitive conversations just yet.
• GitPhish – It is a tool for testing GitHub’s device login flow in a security research setting. It helps stimulate phishing-style attacks by creating fake login pages, capturing tokens, and tracking activity. Built for ethical testing, it includes a dashboard, automated deployments, and logging—all meant for use in safe, authorized environments only.

Disclaimer: These newly released tools are for educational use only and haven’t been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.

🔒 Tip of the Week

Map Known Vulnerabilities Automatically Across Your Stack — Manually checking for CVEs is slow, incomplete, and easy to get wrong. Instead, use automated tools that correlate software versions with known vulnerabilities across your entire environment—both internal and internet-facing.

Start with Nmap and tools like CVEScannerV2 or Vulners NSE to scan live services for exposed software versions and match them to CVE databases. For deeper insights:

• Use tools like Nuclei (customizable vulnerability templates), Trivy (container + system CVEs), and Grype (SBOM-based scanning).
• Monitor third-party components with OSV-Scanner or Dependency-Track if you’re building software.
• Set up scheduled scans and use tools that integrate with ticketing systems to ensure teams actually act on the findings.

Finally, filter out noise—not every CVE is worth patching. Focus on CVEs with public exploits, high CVSS scores, and exposure to users or attackers.

Pro tip: Always validate findings with real-world exploitability, not just version matches.

Conclusion

What stands out this week isn’t just the scale of incidents—it’s how familiar tools, platforms, and even browser extensions are being quietly turned against us. From red teaming software reappearing as malware loaders to code libraries enabling stealth attacks, the line between legitimate use and exploitation keeps getting harder to see. When trusted environments become part of the attack chain, security teams must look beyond patching and start questioning assumptions about what’s safe by default.

Staying ahead means paying just as much attention to what’s already inside the gates as what’s trying to break in.