Daily Brief

NPM removed all versions of the Stylus CSS library and replaced them with a "security holding" page, citing an accidental ban. This incident has caused significant disruption, breaking software builds and pipelines worldwide that depend on Stylus. The removal was apparently due to another maintainer associated with the Stylus package, who was banned for publishing malicious packages unrelated to Stylus. Security researcher from Mend.io confirmed the most recent version of Stylus was clean, suggesting the removal was a mistake tied to problematic actions by a different maintainer. Developers have been forced to find workarounds, such as referencing the Stylus package dynamically or using npm overrides to maintain access and functionality in their projects. The npmjs community and Stylus developers are awaiting action from npm to restore the package officially. This event highlights risks associated with dependency management in software development and underscores the broader impact of administrative errors in package management ecosystems.

Microsoft's new Windows 11 update introduces several AI features like Copilot Vision, which captures and analyzes user screen activity and sends data to Microsoft's servers. The new AI capabilities are centralized within Windows 11, designated the platform for innovative AI experiences for consumers, including features like Recall and improved search functions, employing technologies like optical character recognition and large language models. Copilot Vision is an opt-in service that records screen activity only when activated, unlike its predecessor Recall which was always active, making it ostensibly less invasive. Addition of new AI-driven functionalities across various applications, including a reading enhancement tool in Microsoft Word, an immersive reading mode, and AI capabilities in tools like Paint and Snipping Tool. Microsoft is also making significant changes to the system error interfaces with the BSoD becoming a Black Screen of Death, promising a less verbose and more readable error screen. The development includes a new AI-powered agent within the Windows Settings that can autonomously adjust settings based on natural language instructions, built to operate on specific Copilot+ systems with Qualcomm Snapdragon hardware. Microsoft introduced the Surface Laptop 5G, supporting advanced AI features geared towards enhancing user interaction with continuous connectivity to Microsoft 365 Copilot and other cloud tools.

Coyote malware, first identified by Kaspersky in 2024, has evolved to exploit Microsoft's UI Automation (UIA) to steal banking credentials in Brazil. The latest Coyote variant affects users by targeting 75 banking and cryptocurrency exchange websites to harvest sensitive data. The malware utilizes Windows accessibility frameworks to intercept user credentials, leveraging methods similar to those seen in Android banking trojans. Coyote employs both the GetForegroundWindow() API and UIA to identify and extract information from browser tabs and address bars corresponding to the targeted financial sites. Akamai’s recent research demonstrates the malware can operate both online and offline, optimizing its chances of capturing relevant user information. UIA, part of the .NET Framework, though intended for assistive technologies, has potential for misuse in malware operations, presenting a significant security challenge. Akamai had previously showcased a proof of concept in December 2024, illustrating UIA’s capabilities for credential theft or executing malicious code.

Kerberoasting remains a significant threat in Windows Active Directory environments, exploiting the Kerberos authentication protocol. Traditional detection methods, such as heuristic-based approaches, struggle with high false positives and miss subtle, low-and-slow attack tactics. The BeyondTrust research team has developed a statistical model aiming to enhance detection accuracy by analyzing patterns and reducing false positives. This new model groups similar Kerberos ticket-request patterns into clusters, analyzing frequency and behavior to establish what 'normal' looks like for each group. Initial testing across 1,200 hours demonstrated promising results, enhancing the ability to detect anomalies while understanding typical user behaviors. Collaboration between security researchers and data scientists proved crucial, blending contextual security insight with advanced data analysis techniques. While improving detection, it's also recommended to implement proactive identity security measures to mitigate risks associated with Kerberoasting. The research team's efforts indicate that even well-known attack methodologies like Kerberoasting can be countered more effectively with innovative detection models.

Google has launched OSS Rebuild, aiming to enhance the security of open-source packages and protect against software supply chain attacks. OSS Rebuild provides security metadata to validate the origin of packages and confirm that they have not been altered, contributing to safer software dependencies. The project targets packages from major registries such as the Python Package Index, npm, and Crates.io, with plans to expand further. It employs declarative build definitions, build instrumentation, and network monitoring to recreate package builds and compare them with existing artifacts. OSS Rebuild uses SLSA Provenance to publish build definitions and outcomes, allowing for the verification of package origins and the repeatability of secure builds. The solution aids in detecting compromises within the supply chain, enhancing Software Bills of Materials, accelerating vulnerability responses, and reinforcing trust in packages. Whenever automatic reproduction of a package fails, OSS Rebuild provides a manual build specification to maintain security standards. This initiative reduces the dependency on CI/CD platforms for managing package security, shifting the control back to security teams and developers.

CISA has added two newly exploited SysAid software vulnerabilities to its Known Exploited Vulnerabilities catalog. These vulnerabilities involve potential for Server-Side Request Forgery (SSRF) and unauthorized remote file access. Research by watchTowr Labs uncovered these flaws alongside CVE-2025-2777, a critical pre-authenticated XXE vulnerability. SysAid addressed these vulnerabilities in March 2025 with an updated software release (version 24.4.60 build 16). The specifics of the threats, including attacker identities and intents, remain unclear. Federal Civilian Executive Branch agencies are mandated to implement the updates by August 12, 2025, to mitigate risks. Attackers could also potentially execute remote code when exploiting these vulnerabilities in combination with another flaw from CyberArk.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has required all Federal Civilian Executive Branch (FCEB) agencies to patch Microsoft SharePoint vulnerabilities CVE-2025-49704 and CVE-2025-49706 by July 23, 2025, due to evidence of active exploitation by Chinese hacking groups. Chinese groups identified as Linen Typhoon and Violet Typhoon have been exploiting these vulnerabilities since July 7, 2025, to gain unauthorized access to on-premises SharePoint servers. The vulnerabilities involve a spoofing and a remote code execution (RCE) vulnerability chain, collectively named ToolShell. Microsoft's assessments indicate that CVE-2025-53770, an authentication bypass and RCE bug, is key to exploiting these vulnerabilities. Microsoft has confirmed that CVE-2025-53771 and related flaws serve as patch bypasses, complicating mitigation strategies. Despite mitigation efforts like the Antimalware Scan Interface (AMSI), watchTowr Labs successfully devised methods to bypass these protections, indicating the severe limitations of relying solely on AMSI without patching. CISA, continuing to update its Known Exploited Vulnerabilities Catalog with assistance from Microsoft, emphasizes the importance of compliance with the patching directive given the sophistication of the attacks and potential for significant breaches.

The Chinese Ministry of State Security has issued warnings about backdoored devices and supply chain attacks, particularly targeting foreign technologies. The Ministry advises against using foreign tech products and encourages purchasing domestic technology to mitigate information security risks. Concerns are also raised over potential foreign espionage in China’s territorial waters, using covert backdoored undersea devices. A recent incident involved Chinese fishermen discovering a device suspected of gathering hydrological data and monitoring ship activities covertly. The Ministry suggests that foreign intelligence agencies and possibly international organizations may be involved in undersea surveillance and data theft. These actions by foreign entities are described as threats to China’s national security. Chinese citizens are urged to educate themselves about cybersecurity risks, maintain vigilance, and report any suspicious activities to authorities.

The Lumma infostealer malware operation has resumed after a major law enforcement crackdown in May, involving the seizure of 2,300 domains. Despite considerable disruptions, Lumma's malware-as-a-service (MaaS) was not completely shut down; restoration began almost immediately post-seizure. The malware network has almost returned to its original activity level before the crackdown, facilitated by new infrastructure and trust rebuilding within the cybercrime community. Trend Micro reports a swift resurgence in operations, with network telemetry showing rapid infrastructure rebuilding by Lumma operators. Lumma now utilizes alternative legitimate cloud providers, including Russian-based Selectel, to evade further takedowns. The malware is distributed through four main channels, indicating a robust and diversified infection strategy. The persistence and recovery of Lumma indicate that current law enforcement strategies may need revisions, as arrests or indictments are essential to curb such resilient cybercrime activities.

U.S. government failed to renew funding for the CyberSentry program, ceasing its operations at Lawrence Livermore National Laboratory (LLNL). CyberSentry aims to detect emerging cyber threats on critical infrastructure networks, focusing on sectors like energy, healthcare, and water. The program identified and monitored foreign espionage activities and potentially harmful malware targeting operational technologies. The halt in funding means LLNL can no longer analyze data from network sensors, decreasing visibility into ongoing cyber threats. Testimonies reveal cybersecurity weaknesses in U.S. critical infrastructure, with calls for urgent preparation against potential major attacks. LLNL had success in the past, such as detecting intrusive Chinese surveillance cameras embedded in U.S. infrastructure. The program's cessation is part of a broader issue of unstable funding and staffing challenges at the Cybersecurity and Infrastructure Security Agency (CISA). Officials express concerns over national security risks due to the funding gap, echoing previous issues with the CVE program run by MITRE.

A newly evolved variant of the Coyote banking trojan is now exploiting the Microsoft UI Automation (UIA) framework to potentially steal credentials from users of banking and cryptocurrency exchange websites. Microsoft UIA is an accessibility framework that interacts with UI elements in applications, which malware uses to inspect and control user interfaces covertly. This technique allows the malware to evade traditional endpoint detection and response (EDR) systems, posing a significant challenge to current cybersecurity defenses. Initially detected in February 2024, Coyote has targeted 75 specific financial and cryptocurrency services, primarily focusing on Brazilian institutions. The malware identifies targeted sites by extracting web addresses from browser UI elements like tabs or address bars, checking them against a predefined list of services. Besides using keylogging and phishing overlays, Coyote's latest variant leverages UIA for data theft, marking an advancement in its capabilities. Microsoft has yet to respond to queries about potential updates or safeguards against such misuse of their accessibility features.

Arch Linux issued a security alert advising users to uninstall and reinstall Firefox, LibreWolf, and Zen browsers due to compromised packages in the Arch User Repository (AUR). The compromised packages, identified as librewolf-fix-bin, firefox-patch-bin, and zen-browser-patched-bin, contained a Remote Access Trojan (RAT). The malicious packages were available on AUR on July 16 and were promptly removed less than two days after discovery. Users are advised to take further precautions to ensure their systems were not compromised by checking for unknown processes and unusual network traffic. The AUR, while providing extensive software options for Arch users, is often less regulated and has historically been susceptible to similar malware incidents. Arch Linux’s infrastructure, relying on community contributions to AUR, poses both strengths in diversity of available software and risks in security. The Register has reported similar malware issues affecting other software repositories, emphasizing the ongoing challenge of securing software supply chains. This incident underscores the necessity for users to maintain vigilance and practice robust security hygiene, especially when utilizing community-supported repositories.

CISA, FBI, and other agencies issued a warning regarding rising Interlock ransomware activities, affecting businesses and critical infrastructure. Interlock ransomware, identified in September 2024, has increasingly targeted various sectors worldwide, particularly healthcare. These ransomware attacks involve data theft and subsequent encryption, pressuring victims to pay ransoms to regain access and prevent data leaks. Notable breaches include DaVita and Kettering Health, with significant data theft and operational disruptions reported. Interlock leverages unique tactics like drive-by downloads from compromised legitimate sites and double extortion schemes. Recent methods also include using the FileFix technique, manipulating Windows UI elements to execute harmful scripts. Recommended defenses include DNS filtering, web access firewalls, routine updates, network segmentation, ICAM policies, and mandatory multifactor authentication. The advisory provides network defenders with latest indicators of compromise and strategic mitigation measures to thwart such ransomware attacks.

AMEOS Group, a large healthcare network in Central Europe, reported a security breach impacting customer, employee, and partner data. The breach involved unauthorized access to the healthcare provider's IT systems, despite extensive security measures. AMEOS operates over 100 healthcare facilities, employs around 18,000 staff, and generates more than $1.4 billion in annual revenue. All IT systems were shut down, and network connections were severed to mitigate the breach; external IT and forensic experts were enlisted for aid. Data protection authorities in Switzerland, Germany, and Austria were notified, and a criminal complaint has been filed. AMEOS has advised individuals associated with their facilities to be cautious of potential phishing and scam attempts. While no data has purportedly been disseminated online yet, ongoing investigations continue without evidence of data exposure. Updates will be provided through AMEOS's website as the investigation progresses and new details emerge.

Chinese state-backed groups, Linen Typhoon and Violet Typhoon, are exploiting recently identified vulnerabilities in on-premises Microsoft SharePoint servers. Linen Typhoon primarily targets entities involved in government, defense, and human rights, focusing on stealing intellectual property. Violet Typhoon engages in espionage, aiming at former government and military personnel, NGOs, think tanks, and sectors like education and media across US, Europe, and East Asia. A third group, Storm-2603, possibly China-based but not confirmed as state-sponsored, has been using these vulnerabilities for unclear purposes. Microsoft has released patches for the identified vulnerabilities affecting all versions of SharePoint Server—including Subscription Edition, 2019, and 2016. The presence of multiple proofs of concept for exploiting these vulnerabilities on GitHub indicates a high risk of further attacks by various cybercriminal groups. Organizations are strongly urged to apply these security updates immediately to prevent potential breaches and data theft. Microsoft continues to investigate the activities of additional threat actors exploiting these vulnerabilities.