Attacks & Vulnerabilities |
131 Chrome Extensions Caught Hijacking WhatsApp Web for Massive Spam Campaign (3 minute read)
Socket researchers discovered 131 malicious Chrome extensions with over 20,000 active users that inject code into WhatsApp Web to automate bulk spam campaigns targeting Brazilian users. The extensions, marketed as CRM tools with names like "YouSeller" and "ZapVende," share identical codebases and are distributed through a franchise model operated by DBX Tecnologia, violating Google's Chrome Web Store policies. The nine-month campaign aims to bypass WhatsApp's rate limits and anti-spam controls by automating message sending without user confirmation. |
Foreign hackers breached a US nuclear weapons plant via SharePoint flaws (4 minute read)
Foreign threat actors breached the Kansas City National Security Campus, which produces 80% of non-nuclear components for US nuclear weapons, by exploiting unpatched Microsoft SharePoint vulnerabilities CVE-2025-53770 (spoofing) and CVE-2025-49704 (RCE) in July, with attribution disputed between Chinese nation-state groups (Linen Typhoon, Violet Typhoon, and Storm-2603) and Russian cybercriminals. While the breach targeted IT systems rather than air-gapped OT/manufacturing environments, experts warn that even unclassified technical data such as precision requirements, tolerances, and supply chain details could provide adversaries with strategic intelligence about US weapons capabilities and manufacturing processes. Security teams should prioritize patching SharePoint on-premises servers, implement a comprehensive zero-trust architecture across both IT and OT environments as outlined in DoD's emerging OT fan chart framework, establish robust IT/OT segmentation to prevent lateral movement, and recognize that nation-state actors may acquire zero-day knowledge through MAPP program misuse or underground exchanges before patches are available. |
Email Bombs Exploit Lax Authentication in Zendesk (2 minute read)
Cybercriminals are abusing a lack of authentication in the customer service platform Zendesk to flood victims' emails with spam messages that come from hundreds of Zendesk customers. Zendesk customers who do not require verified emails to submit tickets can be abused by spammers to send unwanted emails from the company's domain. Zendesk responded to this campaign by stating that customers are recommended to require verification. |
|
Securing Amazon Bedrock API keys: Best practices for implementation and management (6 minute read)
AWS recommends using temporary STS credentials over API keys when possible, but when API keys are necessary, short-term keys with built-in expiration are preferred over long-term keys. Organizations should implement comprehensive monitoring through CloudTrail events, EventBridge rules, and AWS Config to detect API key creation and usage while using SCPs to control or block key creation entirely if not needed. The article provides detailed guidance on identifying, protecting, detecting, and responding to API key security events across the credential lifecycle. |
How a fake AI recruiter delivers five staged malware disguised as a dream job (14 minute read)
A sophisticated phishing scheme targets developers by posing as an AI recruiter offering an enticing job. Victims are tricked into cloning and running a malicious code repository as part of a "technical assessment," which then unfolds the attack over five stages: first, a hidden backdoor is silently activated, followed by advanced JavaScript and Python malware that steals credentials, crypto wallets, and browser data, monitors keystrokes and clipboard, and installs remote-access tools like AnyDesk. The malware uses deep obfuscation and persistence mechanisms to resist removal and detection, ultimately handing attackers full control and ongoing surveillance of the compromised system. |
How I Reversed Amazon's Kindle Web Obfuscation Because Their App Sucked (6 minute read)
Frustrated by Amazon's Kindle app instability and restrictive DRM, this author set out to reverse-engineer Amazon's web obfuscation system. Instead of granting simple access to purchased ebooks, Amazon uses a system where the actual text is encoded as glyph IDs rather than characters, with the mapping randomized for every batch of pages. Overcoming these sophisticated protections required pixel-level glyph matching and leveraging font metrics to reconstruct the book, eventually allowing the owner to access their purchase in a way they controlled. |
|
Nanochat Lets You Build Your Own Hackable LLM (2 minute read)
Andrej Karpathy's nanochat is an open-source project that enables the creation of a simple ChatGPT clone for approximately $100 using 8,000 lines of minimal-dependency code and a single speedrun.sh script, producing a 1.9 billion parameter model trained on 38 billion tokens in about 4 hours on NVIDIA 8XH100 GPU hardware. The accessible codebase allows security researchers and developers to experiment with LLM architecture, understand model training processes, and test modifications without commercial platform restrictions, with scaling to $1,000 enabling significantly more capable models for math, coding, and reasoning tasks. This transparent, hackable approach provides security professionals with valuable insight into LLM internals for threat modeling, adversarial testing, and understanding AI system vulnerabilities that commercial black-box models obscure. |
Domainstack (GitHub Repo)
Domainstack is an all‑in‑one app for exploring domain names. Search any domain (e.g., github.com) and get instant insights, including WHOIS/RDAP lookups, DNS records, SSL certificates, HTTP headers, hosting details, geolocation, and SEO signals. |
SilentPush (Product Launch)
Silent Push offers proactive threat intelligence, detecting and mapping malicious infrastructure pre-attack as it supplies "indicators of future compromise" via continuous internet scans. It also supports threat hunting and brand protection, and integrates with existing security tools or can operate standalone. |
|
Winos 4.0 hackers expand to Japan and Malaysia with new malware (3 minute read)
Winos 4.0 threat actors have expanded operations from China and Taiwan to Japan and Malaysia, deploying HoldingHands RAT through phishing emails with fake Finance Ministry PDFs containing embedded malicious links hosted primarily on Tencent Cloud infrastructure. The sophisticated multi-stage attack chain uses digitally signed executables, anti-VM checks, targets Norton/Avast/Kaspersky for evasion, leverages Windows Task Scheduler for persistence, and injects payloads into taskhostw.exe with process monitoring for re-injection, while newer variants added C2 IP update capabilities via registry (HKEY_CURRENT_USER\SOFTWARE\HHClient). Security teams should monitor for suspicious PDF attachments impersonating government finance documents, block identified C2 infrastructure, including IP 156.251.17[.]9 and domain twczb[.]com, implement behavioral detection for Task Scheduler manipulation and unusual dokan2.dll/TimeBrokerClient.dll activity in System32, and trace Tencent Cloud APPID patterns to identify related phishing infrastructure. |
Russian Lynk group leaks sensitive UK MoD files, including info on eight military bases (2 minute read)
Russian cybercrime group Lynx breached Dodd Group, a UK Ministry of Defence contractor, on September 23, stealing approximately 4TB of data, including sensitive files on eight RAF and Royal Navy bases such as RAF Lakenheath (hosting US F-35 jets and believed nuclear weapons storage), RAF Portreath (NATO radar site), and RAF Predannack (UK Drone Hub). The leaked data includes roughly 1,000 documents containing staff names, emails, phone numbers, vehicle details, visitor logs, security guidance, and construction records marked as "Controlled" or "Official Sensitive," with the gang publishing data after failed ransom negotiations. Security professionals should prioritize third-party risk management and contractor security assessments, as supply chain compromises continue to expose critical defense infrastructure and personnel data that nation-state actors can leverage for intelligence gathering or future attacks. |
|
xubuntu.org might be compromised (2 minute read)
The Xubuntu.org website's torrent download links are serving malicious ZIP files containing a suspicious Windows executable with a 2026 copyright date (despite being 2025) and no actual torrent file inside. |
|
| Love TLDR? Tell your friends and get rewards! | | Share your referral link below with friends to get free TLDR swag! | | | |
| Track your referrals here. |
| Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us.
Want to work at TLDR? 💼 Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them!
If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile
|
|
| |
0 Comments