Daily Brief

A significant resurgence in phishing scams impersonating toll payment authorities like E-ZPass is currently underway, with victims receiving fraudulent iMessage and SMS texts. These phishing texts are engineered to trick victims into providing sensitive information such as names, email addresses, physical addresses, and credit card details on fake websites. The scam messages employ a sense of urgency to compel immediate action, threatening additional fees or license suspensions if the tolls are not paid by a specified deadline. Despite protective measures like Apple’s automatic link disabling for unknown senders, scammers circumvent these by urging victims to reply to the texts, enabling clickable links. The phishing websites involved are designed to look authentic and are tailored to display properly only on mobile devices, not desktops. Victims report receiving up to seven scam messages in a single day, illustrating both the aggressiveness and high volume of this phishing campaign. The use of services like the phishing-as-a-service platforms Lucid, combined with encrypted messaging technologies, suggests a sophisticated and coordinated effort to evade traditional anti-spam filters. To ensure safety, individuals receiving suspicious messages are advised to directly verify any outstanding toll charges through their respective official toll authority websites and to report and block suspicious numbers.

A malicious PyPi package named 'disgrasya' abused WooCommerce to validate stolen credit cards and was downloaded 34,000 times. It targeted stores using the CyberSource payment gateway, exploiting this connection to assess the validity of stolen card data from dark web sources. The package bypassed typical supply chain security measures by blatantly advertising its malicious intent on PyPI, differentiating itself from more deceptive cyberthreats. Attackers employed a Python script within the package to collect product IDs, add items to carts, and simulate the checkout process by stealing security tokens. Cards validated by the script were either directly used for fraud or sold on cybercriminal marketplaces. This highly automated and targeted attack workflow is designed to mimic legitimate customer traffic, making it extremely challenging for conventional fraud detection systems to identify. To mitigate such threats, Socket researchers recommend several strategies including blocking low-value orders, monitoring for multiple failures, applying CAPTCHAs, and implementing rate limits at checkout points.

Microsoft credited EncryptHub, a cybercriminal, for revealing two security flaws in Windows. EncryptHub, also known as SkorikARI, previously engaged in cybercrime distributing malware via a bogus WinRAR site. This individual has compromised over 618 high-value targets across various industries in nine months. EncryptHub mixed legitimate cybersecurity activities with cybercriminal exploits and was active in bug bounty programs before fully turning to cybercrime. Detailed investigations traced back EncryptHub’s online criminal activities to poor operational security practices that exposed their identity. EncryptHub used tools like OpenAI's ChatGPT to develop malware and relied on poor operational security practices, leading to exposure. Though originally from Ukraine, EncryptHub relocated near the Romanian coast and resumed cybercrime activities after an apparent jail time. The dual existence of EncryptHub as both a cybersecurity asset and cybercriminal showcases significant challenges in the cybersecurity domain.

Coinbase is addressing user concerns regarding misleading "second_factor_failure" messages in their account activity logs. Users reported panic and confusion, fearing their accounts were compromised after receiving phishing communications. These account activity alerts were triggered by either incorrect 2FA entries or wrong password attempts. Despite fears of a security breach, the situation was linked to mislabeled error messages rather than an actual compromise. Discussions on platforms like Reddit confirmed that others experienced similar issues, further indicating the problem's scope. Coinbase has acknowledged the issue and is working on changing the misleading error notifications. There is no specific timeline provided by Coinbase for when this change will be implemented. The misleading messages are being exploited by threat actors to conduct social engineering attacks.

North Korean hackers are distributing BeaverTail malware and a new RAT loader through malicious npm packages linked to a job interview-themed phishing campaign. The malicious npm packages have been downloaded over 5,600 times before their removal, employing encoding techniques to evade detection. One identified package used a command-and-control address previously associated with the Lazarus Group’s Phantom Circuit campaign. The attackers have used Bitbucket and GitHub to host payloads, showcasing adaptation and evolution in their tactics. The campaign's end goal is to infiltrate developer systems, steal sensitive data, siphon financial assets, and ensure long-term system access. Analysis of the malware shows minor code variations across packages, suggesting an attempt to increase infection success rates. South Korean cybersecurity has linked this activity to a wider phishing campaign targeting local developers with recruitment-themed lures. The broader campaign involves multiple tools, including a Windows backdoor capable of command execution and sensitive data exfiltration.

A critical vulnerability, identified as CVE-2025-31334, was discovered in the WinRAR file archiver that allows bypassing Windows' Mark of the Web (MotW) security alerts. The flaw affects all versions of WinRAR prior to the latest 7.11 release and enables the execution of arbitrary code on Windows machines. The MotW feature adds a metadata value indicating that a file is potentially unsafe if downloaded from the internet, prompting a security warning when such a file is executed. In affected WinRAR versions, a symbolic link (symlink) can be manipulated to bypass the MotW warning, potentially allowing malware execution without user knowledge. Creation of symbolic links in Windows generally requires administrator permissions, adding an additional security layer. The vulnerability was responsibly reported by Shimamine Taihei through Japan’s Information Technology Promotion Agency and addressed in WinRAR version 7.11. WinRAR has included enhancements from version 7.10 onwards to remove potentially privacy-compromising information from the MotW alternate data stream. Previous instances of similar MotW bypass issues have been exploited by threat actors, including state-sponsored groups, to deliver malware covertly.

Cybersecurity researchers discovered malicious libraries in the Python Package Index (PyPI) that stole sensitive data. The affected packages include bitcoinlibdbfix and bitcoinlib-dev, which impersonated fixes for the legitimate bitcoinlib module. Another package, disgrasya, contained a script for automating credit card fraud, specifically targeting WooCommerce stores. These packages were downloaded more than 39,000 times before being removed from the distribution site. Attackers engaged with users on GitHub, deceitfully promoting the malicious packages as necessary updates. The disgrasya package tested stolen credit card information on e-commerce sites to avoid fraud detection mechanisms. Malicious packages were programmed to simulate legitimate shopping activities to validate stolen credit card details. The research teams from ReversingLabs and Socket exposed the functionality and objective of these malicious Python packages.

President Trump dismissed both the head of the NSA and U.S. Cyber Command, General Timothy Haugh, and his civilian deputy, Wendy Noble, amid controversies. The firings were allegedly influenced by Laura Loomer, a far-right figure with extreme views, who had recently met with President Trump. Senator Mark Warner criticized the decision as politically motivated and detrimental to national security, highlighting the inconsistency compared to other administrative decisions. Representative Jim Himes expressed concern that the dismissal of Haugh, noted for his nonpartisan and security-focused approach, made the country less safe. General Haugh had been a reputable leader in national defense, confirmed unanimously by the Senate, with both offensive and defensive cyber experience. The new acting head of the NSA is Lieutenant General William Hartman, previously involved in offensive cyber operations. The shake-up coincides with the dismissal of other National Security Council members, adding to the turbulence within the U.S. national security apparatus.

In August 2024, the Port of Seattle suffered a ransomware attack by the Rhysida group, impacting IT infrastructure and service systems, including reservation check-ins and flight displays. The attack led to data theft involving 90,000 individuals, primarily affecting employees, contractors, and involving sensitive information such as Social Security numbers and medical data. Despite disruption, major airline and maritime operations remained unaffected as proprietary and federal partner systems were not compromised. The Port of Seattle refused to pay the ransom, risking public exposure of stolen data on the dark web leak site. The ongoing investigation indicates that the breach occurred mid-to-late August, with a complex and time-consuming assessment of the compromised data. Notification letters have been sent to the affected individuals, with the majority being residents of Washington state. The Rhysida ransomware-as-a-service operation has been active since May 2023 and has previously targeted high-profile entities globally.

A phishing campaign named "PoisonSeed" targets corporate marketing accounts to send fraudulent crypto seed phrases. The campaign infiltrates platforms like Mailchimp, SendGrid, and others using sophisticated phishing techniques to access user credentials. Spearheaded by possible unknown actors, distinct yet similar to known groups CryptoChameleon and Scattered Spider, it uses unique code variations. It employs domains resembling official service URLs to deceive victims, stealing and using their credentials to send malicious emails. Victims receiving these emails are misled into creating new wallets with seed phrases controlled by the attackers, compromising their assets. The subsequent phishing emails contain urgent upgrade or transfer instructions to trick recipients into using these compromised seed phrases. Security recommendations include ignoring unsolicited upgrade requests via emails and always accessing platforms directly through secure means. Users are advised to generate their own seed phrases and should not share or reuse seed phrases sent via email.

Over 20,000 accounts were breached in credential stuffing attacks against multiple Australian superannuation funds. AustralianSuper reported 600 of their accounts were compromised, using stolen passwords for fraudulent activities. Rest's MemberAccess portal was targeted, with 8,000 members having personal data exposed, though no funds were reportedly stolen. Hostplus and Insignia Financial are assessing the damage, though Insignia found no evidence of financial loss yet. ASFA has launched a Financial Crime Protection Initiative, including a hotline and a toolkit to improve industry-wide cyber defenses. Australian pension funds are urged to increase security measures, including encouraging members to use unique passphrases and update software.

Europcar Mobility Group experienced a data breach impacting 50,000 to 200,000 customers, exposing personal data stored in GitLab repositories. A hacker stole source code for Europcar's Android and iOS applications, along with SQL backups that contained customer names and email addresses. The breached data includes 37GB of backups and details about the company's cloud infrastructure and internal applications, without exposure of sensitives details like bank info or passwords. The threat actor attempted to extort Europcar by threatening to release the stolen data. Europcar notified affected customers and the data protection authority in the respective country about the breach. Investigations revealed that credentials used in the breach might have been obtained from previous infostealer compromises. The total extent of the damage is still under assessment, with efforts focused on strengthening security measures to prevent future incidents. Europcar's code repositories were targeted previously and were also part of a fake breach reporting incident in the past year.

A personal access token theft at SpotBugs triggered a widespread supply chain attack on GitHub, notably affecting Coinbase. Attackers initially infiltrated the GitHub Actions workflow of SpotBugs, leveraging it to compromise the repositories of the reviewdog project. The breach began in November 2024 but only became evident in March 2025 when Coinbase was directly targeted. The malicious activity involved pushing a tampered version of "reviewdog/action-setup," which was automatically disseminated through its dependencies. The attacker gained repository write access by being added as a member by a SpotBugs maintainer, utilizing a priorly stolen PAT to facilitate further malicious modifications. This attack employed a "pull_request_target" trigger in GitHub Actions, which allowed the attacker to execute workflows with access to repository secrets. The incident came to light after several months of the attackers monitoring the dependencies architecture, choosing the right moment to exploit high-value targets. Following the attack's detection, the SpotBugs maintainer rotated all tokens and PATs to revoke unauthorized accesses and prevent future breaches.

Emphasizing the importance of timely incident response over just maintaining backups as traditionally advised by experts. Research by UK's Bridewell consultancy highlights slow response times to cyber threats, notably ransomware, with many taking over six hours. Dray Agha of Huntress argues for immediate action within 30 minutes to mitigate risks significantly, as adversaries can cause substantial damage quickly. Simple configuration changes by attackers can create severe security issues, which are often difficult and costly to reverse. Reliance on backups can give organizations a false sense of security, as many backups are outdated or not comprehensive. Rapid incident response is crucial for limiting damage and facilitating quicker operational recovery. Financial constraints often hinder effective incident response and recovery, necessitating ample security budgets for adequate tools and trained personnel. The article suggests investing in proper incident responses and continuous funding for security to prevent or mitigate cyber disasters.

Containerization is now central to modern, cloud-native software development, enhancing application resilience, scalability, and portability. Technological strides from Linux Containers (LXC) to Docker, and the formation of the Open Container Initiative (OCI) have progressively enhanced security and performance in software delivery. Docker simplified container technology use, which boosted adoption rates but also brought about concerns regarding vendor lock-in and the need for system interoperability. The OCI addressed these challenges by standardizing container formats and runtimes, ensuring compatibility across various platforms and promoting a competitive atmosphere. Kubernetes, supported by OCI standards, has enabled consistent application orchestration across diverse infrastructures, reinforcing container ubiquity. Modern cloud-native applications demand a minimalistic approach, relying on distroless configurations that cater only to specific microservice needs, enhancing security and efficiency. Chainguard OS exemplifies the next generation of open source software delivery, emphasizing security, up-to-date content, and minimalism, drawing on direct updates from upstream sources. The distroless approach of Chainguard OS demonstrates significant reductions in vulnerabilities and resource use, aligning with the latest industry needs and user feedback.