Daily Brief

A recent supply chain attack targeted the 'tj-actions/changed-files' GitHub Action, affecting 23,000 repositories. Malicious code was added on March 14, 2025, which dumped CI/CD secrets from GitHub Actions build logs. All versions of the tool were compromised due to retroactive updates including the malicious commit. The compromised GitHub personal access token (PAT) of a bot facilitated the attack; details on how the PAT was compromised remain unclear. GitHub removed the compromised action on March 15, restoring the repository later that day minus the malicious code. Exposed CI/CD secrets were visible in workflow logs, particularly in public repositories, posing a significant security risk. Developers have since updated the repository with recovery instructions and GitHub has recommended securing Actions against future attacks. A CVE ID (CVE-2025-30066) was assigned for ongoing tracking and management of the incident.

A critical remote code execution (RCE) flaw in Apache Tomcat, CVE-2025-24813, is being actively exploited, allowing attackers to hijack servers. Attackers use a simple PUT request with a base64-encoded payload to exploit the vulnerability, with the malicious content bypassing most traditional security filters. Proof-of-concept exploits for this vulnerability were published on GitHub shortly after the flaw was disclosed, aiding in the rapid spread of attacks. The attack does not require authentication due to the handling of partial PUT requests and Tomcat’s file-based session storage default settings. The vulnerability impacts multiple versions of Apache Tomcat across three major release lines: versions 9, 10, and 11. Apache has released updated versions of Tomcat that address this specific vulnerability and recommended configuration changes to mitigate risk. Security experts warn that the exploitation of this vulnerability could lead to further sophisticated attacks if not addressed promptly, highlighting a broader issue with partial PUT request handling that could lead to multiple RCE vulnerabilities.

An unpatched critical security vulnerability in Edimax IC-7100 network cameras has been exploited since May 2024 to spread Mirai botnet malware. The flaw, identified as CVE-2025-1316 with a CVSS score of 9.3, allows remote code execution via specially crafted requests to the camera's web interface. Attackers utilize default credentials to access the vulnerable endpoint and inject malicious code, leading to unauthorized device control. Multiple Mirai botnet variants, some featuring anti-debugging capabilities, have been observed exploiting this vulnerability to form botnets for DDoS attacks. Additional vulnerabilities, such as CVE-2024-7214 in TOTOLINK IoT devices and a Hadoop YARN flaw, have also been targeted by these botnets. Edimax has stated that affected devices are legacy models no longer supported and has advised against using these devices online or failing to change default settings. Akamai highlights the ease of creating botnets with accessible source codes and AI, underscoring the ongoing global threat of the Mirai malware lineage.

The GitHub Action tj-actions/changed-files was altered to leak project secrets into build logs, affecting over 23,000 repositories. Publicly visible logs meant that secrets such as API keys and access tokens were accessible to anyone, posing a high security risk. Although there's no evidence that secrets from public repos were stolen, the impact on large organizations could be severe, as some exposed secrets included AWS access keys and private RSA keys. Following the attack disclosure, project maintainers are urged to audit their repositories, rotate all compromised secrets, and consider alternative actions to tj-actions/changed-files. GitHub suggests pinning actions to commit SHA hashes instead of version tags to prevent similar incidents and ensure action immutability. The compromised GitHub action has now been secured, with additional measures like passkeys and mandatory commit signing implemented to prevent future breaches. The attack was linked to a bot account breach, highlighting the necessity for ongoing security enhancement and monitoring by GitHub action maintainers.

Cybercriminals are exploiting Cascading Style Sheets (CSS) to evade email spam filters and track recipient behaviors, according to a report by Cisco Talos. These malicious activities leverage legitimate CSS properties to hide spam content and redirect recipients to phishing sites without detection. Techniques include using text_indent and opacity settings in CSS to hide malicious content within emails, fooling both users and spam detection systems. Threat actors implement CSS at-rules like @media to monitor user interactions and environment settings such as device screen size and system fonts, enabling further personalization of scam attempts. The increase in email threats using these sophisticated methods was particularly noted in the second half of 2024, marking a significant rise in email-based cyber threats. Talos recommends the implementation of advanced email filtering solutions and privacy proxies to counteract these sophisticated CSS-based tracking and spamming techniques.

UNC3886, a China-linked hacking group, targeted end-of-life Juniper Networks MX Series routers using sophisticated attacks. The hacking campaign deployed six distinct TinyShell-based backdoors, affecting less than 10 organizations. These backdoors included features to disable logging mechanisms, enabling stealth operations without detection. A security flaw, CVE-2025-21590, allowed these hackers to bypass existing security measures and execute malicious code. The attacks signify heightened risks associated with using outdated infrastructure in critical network components. Emerging vulnerabilities and software flaws across various platforms are actively exploited by attackers, escalating the urgency for timely updates and patches. Law enforcement is intensifying efforts against ransomware and cybercrime, resulting in key figures facing legal actions. Security advancements include new tools for early threat detection and ransomware decryption, enhancing defense capabilities against ongoing cyber threats.

The SANS Institute highlighted new ransomware threats targeting cloud storage configurations. Palo Alto Networks Unit 42 found that 66% of cloud buckets contain sensitive data vulnerable to attacks. Recent reports detail ransomware attacks exploiting cloud security controls, specifically Amazon S3's SSE-C encryption and AWS KMS keys. Security experts have seen threatening activities using legitimate features like encryption mechanisms and external key material with simple scripts. SANS urges organizations to engage in educational resources to bolster cloud security, highlighting upcoming seminars and courses like SEC510. Staying informed through specialized webcasts and training is recommended to combat these sophisticated ransomware strategies effectively.

The UK government has announced plans to open competition for the Technology Services 4 framework, worth up to £16 billion. Initially slated to start in October 2024, the procurement was delayed due to legislative changes and will now commence on March 21, 2025. This framework represents a 25% increase in potential spending from the previously proposed £12 billion figure. Changes in the UK's Procurement Act, effective February, have facilitated new rules such as the exclusion of suppliers based on past misconduct and the introduction of a debarment list. The Technology Services 4 framework aims to secure competitive pricing for a variety of IT services for public sector entities. Services to be procured include digital consultancy, asset management, application development, data and security management, among others. The Crown Commercial Service (CCS) has been proactive in updating potential suppliers on the changes and requirements through market engagement notices.

A popular GitHub Action, tj-actions/changed-files, was compromised, affecting over 23,000 repositories and risking exposure of CI/CD secrets. The attack involved unauthorized modifications to the action’s code to print out sensitive secrets during CI/CD processes, which, if logs were public, could be accessed without authorization. The incident is classified under CVE-2025-30066 with a high severity score of 8.6, indicating substantial security impact. Compromised secrets include AWS access keys, GitHub PATs, npm tokens, and private RSA keys, amongst others; however, no direct evidence of data being transferred to attacker-controlled infrastructures was found. The attack exploited a GitHub personal access token used by a bot with elevated repository permissions; post-discovery, the token was revoked and security on the account was enhanced. Maintainers have advised users of the impacted GitHub Action to immediately update to the latest version and review any workflows executed around the time of the compromise for anomalies. The incident highlights ongoing vulnerability of open-source software to supply chain attacks, posing potentially widespread risks to users of compromised software.

Will Dormann, a senior principal vulnerability analyst, criticized Microsoft for demanding a video to complement a bug report, despite providing detailed written explanations and screenshots. Microsoft's Security Response Center (MSRC) insisted on a video proof of concept (POC) to show the vulnerability being exploited, which Dormann deemed unnecessary and a waste of resources. In response, Dormann created a 15-minute video that included a brief clip from "Zoolander" and a punchy techno music track, with most of the video showing no substantial activity. MSRC's video requirement is not a common practice in the industry; for example, CISA’s VINCE platform and the UK’s NCSC do not mandate videos for vulnerability disclosures. Dormann experienced technical issues when attempting to upload the video to Microsoft's portal, receiving a 403 error, which further complicated the submission process. The incident occurred on the same day MSRC published a blog post praising the strengths of its vulnerability disclosure program, highlighting a potential disconnect between Microsoft's public assertions and its actual practices. Dormann expressed frustration with MSRC’s rigid adherence to procedure, feeling it indicated a lack of genuine engagement with security researchers’ efforts.

The FCC announced the formation of a new Council on National Security to address threats from foreign entities, particularly the Chinese Communist Party, to U.S. telecommunications and technology infrastructures. The newly-formed council aims to secure networks and tech against continuous foreign exploitations, although its collaboration with other agencies like CISA remains unclear. Additionally, critical vulnerabilities include an actively exploited CVE in Advantive’s VeraCore software rated CVSS 9.9, and several high-risk CVEs in Ivanti EPM software. Arrests were made concerning the administrators of the Garantex platform, used by ransomware gangs to launder stolen cryptocurrencies, with one administrator captured in India. Another security threat included a discovery of North Korean spyware apps on Google and third-party app stores, capable of collecting sensitive data from devices. In Australia, FIIG Securities faces a lawsuit for cybersecurity negligence that allowed a hacker to steal and sell client data, showcasing significant lapses in corporate cybersecurity practices.

A sophisticated phishing campaign targeted approximately 12,000 GitHub repositories using fraudulent "Security Alert" notifications. Attackers deceived users into granting a malicious OAuth app extensive permissions, potentially gaining complete control over affected GitHub accounts and repositories. The phishing messages claimed unusual account access from Reykjavik, Iceland, prompting users to secure their accounts through provided links. Links directed victims to authorize the "gitsecurityapp" OAuth app, misleadingly requesting permissions under the guise of security enhancements. This campaign was first noticed early in the morning and is still underway, indicating active management and response from GitHub to mitigate its effects. Victims are advised to immediately revoke any suspicious app permissions in their GitHub settings and to review and adjust security settings like passwords and tokens. Ongoing monitoring by cybersecurity communities and GitHub reflects growing concerns over sophisticated phishing techniques leveraging OAuth.

Cybercriminals are using malicious Microsoft OAuth apps that impersonate legitimate services like Adobe and DocuSign to deliver malware and steal Microsoft 365 credentials. Proofpoint researchers identified the campaign and described it as "highly targeted," aiming at sectors such as government, healthcare, supply chain, and retail across the US and Europe. The OAuth apps requested permissions like 'profile', 'email', and 'openid', which are less suspecting, enabling the attackers to operate under the radar. Once permissions are granted, users are redirected through several stages, ending on pages that either phish for more credentials or distribute malware. The phishing campaigns involved emails that seemingly came from charities or small companies with compromised accounts, utilizing RFPs and contracts as lures. The victims of these attacks experienced immediate suspicious login activity following the authorization of these malicious OAuth apps. Proofpoint indicated that despite detecting the attacks, the exact type of malware distributed could not be definitively identified; however, techniques from the ClickFix social engineering attack were used. Users and administrators are advised to verify OAuth app requests carefully and limit consent permissions through Microsoft 365's administrative settings.

Security researcher Yohanes Nugroho released a GPU-powered decryptor for the Akira ransomware targeting Linux systems. The decryptor uses brute force to generate encryption keys, leveraging GPU capabilities to crack the encryption. Akira ransomware generates unique keys for each file based on current time in nanoseconds, which are then encrypted using RSA-4096. Nugroho's decryptor identifies potential decryption keys by analyzing ransomware log files and metadata to narrow down the timestamp. Initial decryption attempts with an RTX 3060 GPU were insufficient, prompting the use of more powerful RTX 4090 GPUs from cloud services, completing the key discovery in about 10 hours. The decryption process can take several days, depending on the number of files needing recovery. Nugroho shared the decryptor on GitHub, advising users to backup their files before attempting decryption to prevent potential data loss.

Cybersecurity researchers uncovered a campaign targeting Python Package Index (PyPI) users with disguised libraries designed to steal cloud access tokens. The malicious packages, which appeared to be time-related utilities, were downloaded over 14,100 times before removal. Software supply chain security firm ReversingLabs identified 20 harmful packages split into two sets; one for data upload to attackers' infrastructure, and another implementing cloud client functionalities. Prominent cloud platforms affected include Alibaba Cloud, Amazon Web Services, and Tencent Cloud. Three specific harmful packages were linked as dependencies in a GitHub project called 'accesskey_tools', which has significant user engagement. A commit on November 8, 2023, to the 'accesskey_tools' GitHub project referenced one of these malicious packages, ensuring its availability on PyPI since then. Fortinet FortiGuard Labs reported finding thousands of similar malicious packages across both PyPI and npm, emphasizing the prevalence and risk of such cyber threats.