Attacks & Vulnerabilities |
Over 300 Malicious Chrome Extensions Caught Leaking or Stealing User Data (3 minute read)
Researchers discovered more than 300 malicious Chrome extensions with 37.4 million combined downloads that leaked browsing history, injected iframes, and stole user data. 153 extensions were confirmed to exfiltrate browser history immediately upon installation. A separate LayerX report identified 30 extensions disguised as AI tools that share identical internal structures and backend infrastructure, with 15 specifically targeting Gmail to extract email content and transmit it to third-party servers. Organizations should audit installed browser extensions against published indicators, enforce extension allowlisting policies, and monitor for anomalous network traffic originating from browser processes. |
Top Dutch telco Odido admits 6.2M customers caught in contact system caper (2 minute read)
Dutch mobile operator Odido has reported a breach of its customer contact system that exposed data on about 6.2 million people, including names, contact details, bank account information, and ID information, but not passwords, call, or billing data. Odido is notifying victims with tailored messages, warning about likely phishing, impersonation, and fake invoices. |
|
The foundation problem: How a lack of accountability is destroying cybersecurity (7 minute read)
Cybersecurity's perceived talent shortage is actually a leadership accountability gap. The Navy trains 18-year-olds to operate nuclear reactors in 18 months through structured programs, while the security industry demands unrealistic experience requirements and refuses to invest in developing junior talent. There are three compounding failures: superficial root-cause analysis that never addresses underlying issues, unchecked technical debt that leaders fail to translate into business risk, and the promotion of technical staff to management roles without leadership training. Security leaders should build structured development paths, conduct rigorous post-incident analysis, and advocate for addressing technical debt as a core business risk rather than accepting recurring failures as inevitable. |
Product engineering teams must own supply chain risk (7 minute read)
Modern software is assembled from third-party services, open-source packages, and CI/CD tooling, turning the supply chain into a primary attack surface rather than a background detail. Attacks like malicious dependency updates exploit implicit trust in external code and can silently compromise products, credentials, and customer data at scale. Product teams must treat supply chain integrity as a top priority, using provenance, cryptographic attestations, and the SLSA framework to verify where software comes from and how it was built. |
Consumer Protection Tuesday: How Coinbase Safeguards PII Using MPC Encryption (5 minute read)
Coinbase's CoreKMS Encryption Service uses Multi-Party Computation (MPC) to protect PII by deriving ephemeral encryption keys on demand through Distributed Key Generation, ensuring no single party ever holds the complete master key. The system employs AES-GCM-SIV for deterministic, authenticated, field-level encryption of sensitive data such as SSNs, enabling secure querying and indexing of encrypted records in Snowflake without decrypting the underlying data. The approach demonstrates a practical architecture for organizations that need to balance regulatory compliance requirements, such as state data-match reporting, with strong cryptographic guarantees against key compromise. |
|
authID Announces Out of the Box, Biometric Security Solution Aligned with PIV Security Framework for Energy and Other Critical Infrastructure (4 minute read)
authID has launched a biometric security platform aligned with the federal Personal Identity Verification (PIV) framework, targeting energy utilities and critical infrastructure by replacing passwords and physical tokens with biometric authentication for SCADA consoles, privileged accounts, and contractor access. The platform includes IDX for centralized identity management across employees and third parties, PrivacyKey for cryptographic biometric verification without storing biometric data, and authID Mandate for locking down agentic AI with user-bound audit trails. The release comes amid a 70% year-over-year increase in utility cyberattacks in the US and growing concerns over state-sponsored actors like Volt Typhoon pre-positioning within critical infrastructure networks. |
1Password open sources a benchmark to stop AI agents from leaking credentials (4 minute read)
SCAM (Security Comprehension and Awareness Measure) is an open-source benchmark from 1Password that tests whether AI agents behave safely in real workflows, such as opening emails, retrieving credentials, and filling out login forms. It addresses the gap where models that can identify phishing when prompted still fall for attacks when operating autonomously. Testing across eight frontier models revealed safety scores ranging from 35% to 92%, with every model exhibiting critical failures, such as entering credentials on phishing pages or forwarding passwords to external parties. However, applying a short security "skill file" dramatically reduced failures across all models. Released under the MIT License, the benchmark includes 30 workplace scenarios, a scoring framework, and video replay tooling to support enterprise AI agent safety evaluation. |
Mercator (GitHub Repo)
Mercator is an open-source web application designed to manage the mapping of information systems. |
|
Snail mail letters target Trezor and Ledger users in crypto-theft attacks (3 minute read)
Threat actors are sending physical letters impersonating Trezor and Ledger security teams, urging hardware wallet users to complete fake "Authentication Check" or "Transaction Check" processes by scanning QR codes that lead to phishing sites designed to steal recovery phrases. The campaign likely leverages customer data exposed in prior Trezor and Ledger data breaches, with phishing domains such as trezor.authentication-check[.]io exfiltrating submitted seed phrases via a backend API endpoint. Hardware wallet manufacturers will never request recovery phrases through mail, email, or websites — seed phrases should only ever be entered directly on the hardware device itself. |
Google Links China, Iran, Russia, North Korea to Coordinated Defense Sector Cyber Operations (4 minute read)
Google Threat Intelligence Group (GTIG) has published findings detailing coordinated cyber operations by state-sponsored actors from China, Iran, North Korea, and Russia targeting the defense industrial base (DIB) sector across four key themes: battlefield technology theft tied to the Russia-Ukraine war, employee targeting and hiring process exploitation, edge device compromise by China-nexus groups, and supply chain attacks through manufacturing breaches. Notable activity includes APT44 exfiltrating Signal and Telegram data from devices captured in Ukraine, Lazarus Group's continued Operation Dream Job campaigns against aerospace and defense targets, and Volt Typhoon conducting reconnaissance against North American military contractor login portals. DIB organizations should prioritize secure messaging hygiene, EDR evasion-aware detection strategies, and supply chain integrity monitoring, given the persistent multi-vector nature of these campaigns. |
Senegalese Data Breaches Expose Lack of Security Maturity (3 minute read)
Ransomware gang Green Blood Group breached Senegal's national biometric ID infrastructure, stealing highly sensitive data, including birth records and ID card details for most of the country's 20 million residents. The incident disrupted ID issuance, exposed weak cyber governance, and sparked fears of long-term fraud and public mistrust in digital government. |
|
OpenSSH Post-Quantum Cryptography (1 minute read)
OpenSSH 10.1 now warns users when connections use non-post-quantum key exchange algorithms, encouraging migration to mlkem768x25519-sha256 (default since 10.0) or sntrup761x25519-sha512 to defend against "store now, decrypt later" attacks. |
|
| Love TLDR? Tell your friends and get rewards! | | Share your referral link below with friends to get free TLDR swag! | | | |
| Track your referrals here. |
|
| |
0 Comments