Daily Brief

A malicious npm package named "os-info-checker-es6" was found using Unicode steganography and Google Calendar to drop payloads. "Os-info-checker-es6" mimics an operating system info tool to facilitate the installation of further malicious code undetected. Utilizes a Google Calendar event link with a Base64-encoded title that points to a remote C2 server, increasing difficulty in blocking the attack. The package was first uploaded on March 19, 2025, and has been downloaded over 2,000 times. No significant malicious activities were noted in the first five versions of the package; changes began appearing in later versions from May 7, 2025. Another npm package by the same developer, implying potential links in a broader malicious campaign. Security experts suggest combining behavioral analysis, static and dynamic testing, and thorough validation of third-party packages to combat such threats. The overview was part of a broader analysis detailing emerging cyber threats in software supply chains in the first half of 2025.

Google has released updates to fix a high-severity vulnerability in Chrome that could potentially lead to account takeovers. The flaw (CVE-2025-4664) was publicly exploitable and found in Chrome’s Loader component allowing cross-origin data leakage through malicious HTML pages. The vulnerability was first reported by a Solidlab security researcher and relates to the improper enforcement of referrer-policy in HTTP headers. Exploitation of this vulnerability could expose sensitive user data, such as OAuth query parameters, which might lead to unauthorized account access. Patches have been issued for desktop versions of Chrome (136.0.7103.113 for Windows/Linux and 136.0.7103.114 for macOS). Google encourages users to update their browser immediately to the latest patched version or allow Chrome to automatically install updates. The company had previously addressed a Chrome zero-day vulnerability earlier in the year used in targeted attacks against Russian entities. Google’s proactive patching approach continues as a response to the increasing number of zero-day vulnerabilities being exploited.

DragonForce, a ransomware-as-a-service (RaaS) group, began its operations in August 2023 and has since claimed 158 victims including major retailers like Marks & Spencer. The group explicitly prohibits attacks on targets within the Commonwealth of Independent States, particularly emphasizing a no-attack policy on Russia and its allies. In March, DragonForce rebranded as a "cartel," enabling affiliates to use its infrastructure for deploying ransomware beyond the group's proprietary code. The FBI identified DragonForce as one of the most prolific ransomware sources in 2024, highlighting the significant threat posed by their expansive affiliate network. Despite speculations, there is no conclusive evidence linking DragonForce to Russia, although it operates on multilingual forums including Ramp, thought to be managed in Russia. DragonForce has set ethical boundaries by warning affiliates against targeting hospitals with critical care units, threatening punishment for violations. The groups’ operating model not only democratizes ransomware deployment but potentially increases its visibility and risk of law enforcement intervention.

Google has issued updates for Chrome to address a high-severity vulnerability allowing cross-origin data leaks. Identified as CVE-2025-4664, the security flaw was exploited in the wild, with a CVSS score of 4.3. The vulnerability results from insufficient policy enforcement related to the Loader component in versions prior to 136.0.7103.113. Attackers could exploit this issue by setting the referrer-policy to "unsafe-url" in the Link header, enabling them to capture full query parameters. These parameters could include sensitive information potentially leading to account takeovers. Security expert Vsevolod Kokorin first detailed this vulnerability, highlighting the unique risk in Chrome compared to other browsers. Users are urged to update their Chrome browsers immediately, and other Chromium-based browsers should follow suit as updates become available. This is the second Chrome vulnerability reported this year that has been actively exploited.

Nucor, the largest U.S. steel manufacturer, temporarily shut down production after a cyber intrusion was detected on its servers. The company filed an 8-K with the SEC revealing that specific IT systems were compromised, prompting shutdowns at some facilities. Third-party security experts and law enforcement have been engaged to investigate the incident. The nature of the cyberattack and specifics about the affected facilities remain undisclosed. The attack on Nucor underscores the vulnerability of critical infrastructure in the U.S. to both nation-state actors and ransomware groups. Nucor is in the process of restarting operations, though details about the recovery’s timeline are not provided. Previous incidents, like the Colonial Pipeline cyberattack, highlight the potentially severe consequences and motivations behind targeting major U.S. infrastructure.

Google is updating Chromium to increase security by preventing Chrome from running as an administrator in Windows. This change echoes a security feature first introduced by Microsoft for the Edge browser in 2019, which originally warned users against launching with elevated permissions. The updated feature will automatically "de-elevate" Chrome's permissions if an attempt is made to launch it with administrative rights. Microsoft's involvement in the Chromium project has facilitated the addition of this security feature, which was based on their experiences with Edge. There's an added command-line switch to prevent potential infinite loops caused by the automatic de-elevation process. Running Chrome with administrative rights exposes the system to significant risks, as malicious downloads would also inherit elevated permissions, potentially leading to full system compromise. The de-elevation feature does not affect Chrome processes initiated in automation mode to allow compatibility with necessary automated tools.

Google Threat Intelligence Group reports that the Scattered Spider hacking group is now targeting US retail companies with ransomware and extortion operations. These attacks follow a pattern of sector-focused campaigns by the group, which has a history of launching successful cyberattacks on retail chains in the UK, including Marks & Spencer. The DragonForce ransomware, used in these attacks, was first seen in action against VMware ESXi hosts, attributing major disruptions within affected organizations. US retailers are advised to bolster cybersecurity defenses in response to these emerging threats, as indicated by the recent guidance from the UK National Cyber Security Centre (NCSC) following similar occurrences. Scattered Spider is known for utilizing sophisticated social engineering tactics, including phishing and SIM swapping, to breach high-profile targets and facilitate ransomware deployment. The collective nature of Scattered Spider complicates efforts to track and predict their activities, making them highly effective against even well-protected networks. The NCSC has yet to formally attribute the recent UK retail attacks to any specific group or coordinated campaign, underlining the ongoing investigations and the need for increased vigilance against such threats.

CVSS (Common Vulnerability Scoring System), once a vital tool in vulnerability management, is now considered inadequate due to its inability to factor in real-world variables and context. Many organizations rely solely on CVSS scores for prioritization, which may lead to misallocated resources and inefficiencies in addressing actual threats. Adversarial exposure validation (AEV) is proposed as a more effective method, focusing on real-world exploitability and impact rather than theoretical severity scores. AEV employs simulations of real attack scenarios in an organization’s specific environment to determine the exploitability and potential damage of vulnerabilities. This approach leads to more accurate risk prioritization, enabling security teams to focus on significant threats and optimize their remediation efforts. AEV also enhances communication within organizations by providing a clearer, more understandable way to report risks based on validated attack scenarios. Continuous validation through AEV offers a dynamic and evidence-based perspective, shifting from static prediction models to proactive, context-aware defense mechanisms. The shift to AEV marks a strategic and necessary evolution in cybersecurity practices, driven by the demand for evidence-based security in a rapidly changing threat landscape.

Samsung has issued updates for a critical security vulnerability in MagicINFO 9 Server, specifically targeting CVE-2025-4632 with a CVSS score of 9.8. The flaw, a path traversal vulnerability, allowed attackers to write arbitrary files with system authority and was actively exploited to deploy the Mirai botnet. CVE-2025-4632 was identified as a patch bypass for an earlier vulnerability, CVE-2024-7399, which Samsung had previously addressed in August 2024. The exploitation came to light following the release of a proof-of-concept by SSD Disclosure on April 30, 2025, leading to its misuse in the wild. Cybersecurity firm Huntress uncovered three incidents involving this vulnerability, with attackers downloading further malicious payloads and performing reconnaissance. Samsung advises all users of MagicINFO 9 Server to upgrade to the latest version (21.1052.0) immediately to mitigate the risks associated with this vulnerability.

Two cybercrime groups, BianLian and RansomExx, have exploited a vulnerability in SAP NetWeaver to deploy the PipeMagic trojan. ReliaQuest identified multiple incidents linking the exploitation to IP addresses previously associated with these groups. A specific server was found hosting reverse proxy services linked to the BianLian group, facilitating data extortion via the rs64.exe executable. The PipeMagic trojan, recently linked to the exploitation of a zero-day Windows CLFS bug (CVE-2025-29824), affects targets in the U.S., Venezuela, Spain, and Saudi Arabia. Attack attempts involved web shells placed on compromised systems due to exploits in SAP NetWeaver, although initial attempts failed. Subsequent attacks succeeded with the deployment of a Brute Ratel C2 framework and demonstrated new tactics to exploit the CLFS vulnerability. Multiple Chinese hacker groups are also reported to be exploiting related SAP vulnerabilities, indicating widespread malicious interest in the flaws. ReliaQuest emphasized the urgent need for patching both CVE-2025-31324 and CVE-2025-42999 due to similar exploitation risks and consequences.

The Department of Homeland Security (DHS) terminated a $2.4 billion cybersecurity contract with Leidos after a legal challenge by competitor Nightwing. Nightwing alleged that Leidos received an unfair advantage due to insider information from a former DHS IT specialist. The contract intended to support the Cybersecurity and Infrastructure Security Agency (CISA) through various IT and cyber capabilities over seven years. DHS cited significant changes in its IT and cybersecurity service needs due to organizational and priority shifts as the reason for contract cancellation, asserting this was unrelated to Nightwing's protest. The contract, known as the ACTS Indefinite Delivery Indefinite Quantity contract, was originally advertised in December 2022 and awarded to Leidos in February. The DHS has no immediate plans to reoffer the contract and is exploring other ways to meet its future needs. Nightwing, spun out of defense contractor Raytheon, has not secured any government contracts since the split, while Raytheon continues to secure contracts in other divisions.

Ransomware gangs have started exploiting a critical SAP NetWeaver vulnerability (CVE-2025-31324), previously patched by SAP on April 24. This vulnerability facilitates remote code execution without needing user credentials, allowing hackers to upload malicious files and potentially seize entire systems. RansomEXX and BianLian ransomware operations have escalated their involvement in these attacks, as reported by ReliaQuest. Multiple Chinese APTs (UNC5221, UNC5174, and CL-STA-0048) are also targeting unpatched NetWeaver instances, aligning with potentially strategic aims of the People’s Republic of China. These attacks have led to over 581 backdoored SAP NetWeaver instances, including critical infrastructure targets in the UK, USA, and Saudi Arabia. A second vulnerability, CVE-2025-42999, was also exploited as early as March, enabling attackers to remotely execute arbitrary commands. SAP admins are urged to apply the available patches immediately or disable the compromised Visual Composer service to mitigate risks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated federal agencies to secure their servers against the CVE-2025-31324 flaw by May 20, highlighting the severity and broad potential impact of these vulnerabilities.

Ivanti has released patches for two zero-day vulnerabilities under active exploitation, potentially impacting customers using Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities are linked to two undisclosed open source libraries utilized in EPMM, raising concerns across the wider security ecosystem. Australia's Australian Signals Directorate (ASD) issued critical alerts for CVE-2025-4427 and CVE-2025-4428, noting that their combined exploitation could lead to serious remote code execution attacks. Affected organizations are advised to deploy the patches immediately or use alternative safeguarding measures like Portal ACLs or external WAFs. Ivanti is collaboratively working with the maintainers of the affected open source libraries to evaluate the need for separate CVE identifiers for these libraries. Another severe vulnerability, CVE-2025-22462, was addressed in the on-premises version of Neurons for ITSM, though it has not yet been exploited in the wild. Ivanti emphasizes the responsible use of open source code and employs tools like SBOMs to assess potential security threats in third-party libraries.

The Australian Human Rights Commission (AHRC) reported a data breach where hundreds of documents were leaked and indexed by search engines. Sensitive data exposed includes names, contact details, health information, schooling, religious affiliations, employment data, and photographs. This breach incident involved 670 documents accessed unlawly between April 3 and May 5, 2025. AHRC emphasized that the data leakage was due to underlying misconfigurations, not a direct result of a cyber attack. All web forms have been disabled by AHRC to prevent further data exposure; a dedicated investigation and taskforce have been set up to address the incident. The Office of the Australian Information Commissioner (OAIC) has been notified, and efforts are underway to remove the exposed documents from search engines. Affected individuals are being personally notified and provided with mental health support links due to potential distress from the exposure.

Max Schrems and noyb issued a cease and desist letter to Meta, challenging its AI data training practices in the EU. Noyb argues that Meta's reliance on "legitimate interest" to bypass explicit user consent for AI training violates GDPR rules. Previously, Meta paused its AI training in the EU following disputes and resumed under guidelines believed to conform with EDPB recommendations. Meta contends the data collection is vital for culturally aware AI, yet noyb deems it excessive compared to competitors like OpenAI. Schrems and noyb are prepared to seek injunctions and potentially pursue a class-action lawsuit, which could result in significant damages. Other EU groups are also considering legal action against Meta for its data collection practices for AI training. Meta believes its data processing approach for AI training is transparent and validated by EDPB, although interpreted differently by noyb.