Researchers at Radware discovered a clever attack called "ShadowLeak" that allowed hackers to steal emails from ChatGPT users completely undetected. The attack worked by embedding hidden malicious code in normal-looking emails using tiny or white text. When victims asked ChatGPT to summarize their emails, the AI would read the hidden code and secretly send email contents to attacker-controlled servers.

The attack left zero traces on company networks since everything happened through OpenAI's infrastructure. Researchers found ChatGPT followed malicious instructions about half the time, with success rates improving when attackers added urgency like "HR compliance checks." OpenAI quietly fixed the vulnerability in August after Radware reported it in June, though the exact solution remains unclear.

Source: Dark Reading

A high court judge has overturned the Home Office's decision to prioritize US extradition over Portugal's request for Diogo Santos Coelho, a 25-year-old Portuguese man with autism facing cybercrime charges.

Coelho, who ran the hacking forum RaidForums, was allegedly groomed online from age 14 and exploited by adults. He faces up to 52 years in US prison but has been assessed as high suicide risk and wants to face justice in Portugal, his home country, where he has family support.

Justice Linden ruled that former Home Secretary James Cleverly failed to properly consider Coelho's mental health, autism diagnosis, victim status under modern slavery laws, and family connections. The current Home Secretary must now reconsider the decision, allowing Coelho to argue why Portugal should take priority.

Source: The Guardian

UK authorities arrested two alleged Scattered Spider hackers: Thalha Jubair, 19, from East London, and Owen Flowers, 18, from West Midlands. Both face UK charges for attacking Transport for London's systems.

Jubair also faces US charges for allegedly orchestrating over 120 cyberattacks worldwide, including 47 against American organizations. Prosecutors say his group used social engineering to steal data and demand ransoms, collecting more than $115 million between May 2022 and September 2025. Jubair controlled wallets containing $36 million in cryptocurrency and faces up to 95 years in prison.

The arrests come as Scattered Spider announced its retirement, though cybersecurity experts remain skeptical and report continued activity targeting financial institutions.

Source: Security Week

SonicWall disclosed a data breach on September 17 where attackers accessed cloud backup files for customer firewalls through brute force attacks targeting their API service. The breach affected fewer than 5% of SonicWall's firewall install base, exposing encrypted credentials and configuration files that could help attackers exploit the related firewalls.

The security vendor immediately disabled the backup feature and launched an investigation with third-party experts. Impacted customers using MySonicWall.com cloud backups are advised to check their accounts, verify if their serial numbers are listed, and rotate all passwords and multi-factor authentication credentials stored in their firewalls.

This marks another security challenge for SonicWall, which has become a frequent target for cybercriminals attacking network edge devices.

Source: Dark Reading

A data breach in New York City's affordable housing lottery program exposed personal information for about 38,000 applicants, including names, incomes, phone numbers, and in some cases Social Security numbers. The breach occurred between May and July when applications became publicly searchable online due to a "system misconfiguration" by Reside New York, a company that reviews applications for the city.

City Council Housing Committee Chair Pierina Sanchez demanded answers after CBS News New York uncovered the breach. Reside CEO Martin Joseph blamed a third-party company called LogicFold for the mistake and says the portal was fixed immediately after being notified.

No identity theft or fraud has been reported so far. The city assures applicants that Housing Connect remains safe, and affected individuals are being offered credit monitoring services.

Source: CBS News New York

A devastating supply chain attack called Shai-Hulud infected over 180 NPM packages starting September 14, compromising 40+ developer accounts and publishing 700+ malicious versions. The self-replicating worm steals secrets, dumps them on public GitHub repositories, and spreads by hijacking NPM tokens to infect more packages.

High-profile targets included @ctrl/tinycolor (2 million weekly downloads) and CrowdStrike packages. The malware harvests GitHub, AWS, and Google Cloud credentials, then creates public repos labeled 'Shai-Hulud Migration' to expose stolen secrets.

Security firms call it one of the most severe JavaScript supply-chain attacks ever. The worm targets Linux and macOS systems while skipping Windows machines. Though many credentials were quickly revoked, dozens of GitHub tokens remain active, keeping the campaign alive.

Source: Security Week

Microsoft and Cloudflare shut down RaccoonO365, a notorious phishing-as-a-service operation that helped cybercriminals steal Microsoft 365 credentials with little technical skill required. Using a court order, Microsoft seized 338 websites tied to the service, which had stolen at least 5,000 credentials from 94 countries since July 2024.

The operation, run by Nigerian mastermind Joshua Ogundipe, offered subscription-based phishing kits for $600 annually. These kits used Microsoft branding to create convincing fake emails and websites, targeting over 2,300 US organizations and 20 healthcare facilities.

Microsoft identified Ogundipe through a cryptocurrency wallet security lapse and sent a criminal referral to international law enforcement. The takedown represents a significant blow to the growing phishing-as-a-service industry.

Source: Dark Reading

The Orleans Parish Sheriff's Office has been hit by a ransomware attack from international cybercrime group Qilin, who breached systems three weeks ago and are demanding payment. The hackers obtained 842 gigabytes of data including contracts, inmate documents, and expense records, though no sensitive information appears compromised.

The attack has disrupted the DocketMaster system that handles inmate transfers and releases, forcing families like one woman whose husband remains jailed despite paying bond to wait longer. "I have two sons, four and six years old. They miss their dad," she told local news.

Officials are using manual workarounds and refuse to pay the ransom. The malware reportedly came through email from another law enforcement agency.

Source: CBS News

SonicWall confirmed attackers breached its MySonicWall.com platform through brute force attacks, accessing firewall configuration files from less than 5% of its customer base. The stolen files contained encrypted passwords and network details that could help attackers exploit customer firewalls more effectively.

This marks a troubling shift from previous SonicWall vulnerabilities, which targeted customer-deployed devices. This time, attackers hit SonicWall's own infrastructure, raising questions about the company's internal security practices.

SonicWall disabled the backup feature and launched an investigation. Affected customers should reset credentials and monitor for unusual activity. The breach adds to SonicWall's security woes—CISA lists 14 exploited vulnerabilities since 2021, including nine used in ransomware attacks.

Source: CyberScoop

A sophisticated new phishing campaign using the "FileFix" technique has spread across 16 countries, from the US to Serbia. The attack impersonates Facebook security warnings, claiming accounts will be suspended unless users take action.

When victims click to "appeal," they're tricked into pasting malicious PowerShell code into Windows File Explorer's address bar under the guise of opening a PDF file. This executes hidden malware that downloads AI-generated images containing steganographically hidden code, ultimately deploying StealC infostealer to harvest passwords and sensitive data.

FileFix builds on the earlier "ClickFix" technique but uses the more familiar File Explorer instead of the Run dialog, making it harder for organizations to block and more likely to fool users unfamiliar with command execution.

Source: Dark Reading