Everest Polycom 90GB Theft 📞, Google Looker Vulnerability 👀, Firefox Disable AI Switch 🤖

The Everest ransomware group claimed to have exfiltrated 90GB of internal data from systems linked to Polycom, now owned by HP Inc ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ 

Sign Up |Advertise|View Online TLDR Together With TLDR Information Security 2026-02-05 TLDR is hiring a Curator for TLDR IT! (TLDR Curator, ~5 hrs/week) We are launching a brand new newsletter covering IT and enterprise tech. If you are an IT leader interested in writing for us, please send your resume or LinkedIn to itcurator@tldr.tech! 🔓 Attacks & Vulnerabilities Everest Ransomware Claims 90GB Data Theft Involving Legacy Polycom Systems (2 minute read) The Everest ransomware group claimed to have exfiltrated 90GB of internal data from systems linked to Polycom, now owned by HP Inc., including engineering build environments, source code, and technical documentation for the RMX and RealPresence conferencing platforms. Evidence suggests the data originated in legacy Polycom environments from 2017–2019, predating HP's acquisition, though it remains unclear when the systems were accessed. HP Inc. has not confirmed the breach. Vulnerabilities Allowed Full Compromise of Google Looker Instances (3 minute read) Tenable researchers uncovered LookOut, two flaws in Google Looker that allow attackers with developer rights to run remote code, steal secrets, and exfiltrate the internal MySQL database via an auth bypass and error-based SQL injection. Google patched cloud-hosted instances in September 2025, but self-hosted deployments must update, though no active exploitation has been detected. Big Breach or Smooth Sailing? Mexican Gov't Faces Leak Allegations (4 minute read) Hacktivist collective Chronus claims to have leaked 2.3TB of data from at least 25 Mexican government bodies, potentially exposing personal and healthcare records of 36 million citizens. Mexico's ATDT argues the dump repackages old breaches from obsolete third‑party systems, not fresh sensitive data. 🧠 Strategies & Tactics GatewayToHeaven: Finding a Cross-Tenant Vulnerability in GCP's Apigee (11 minute read) A cross-tenant vulnerability (CVE-2025-13292) discovered in Google Cloud's Apigee allowed attackers to chain SSRF via the GKE metadata endpoint, to escalate privileges via Dataflow JAR poisoning, and to abuse autoscaling to access analytics data across all Apigee tenants, including plaintext OAuth access tokens. The attack exploited shared cross-tenant metadata buckets lacking tenant-specific path isolation and overly permissive service account permissions within tenant projects. Organizations using managed multi-tenant cloud services should audit tenant isolation boundaries, restrict access to metadata endpoints from workloads, and ensure that shared infrastructure components enforce strict per-tenant scoping. Building Security to Unlock Engineering Velocity (4 minute read) Robinhood built SERA (Secure Enhanced Remote Approval), an internal platform that replaces VPN-dependent access approvals with passkey-based biometric authentication, enabling engineers to securely approve requests from any device. The system uses trusted enrollment on corporate devices to bootstrap credentials and then enables flexible remote approvals with tamper-evident audit trails, reducing approval times by over 20%. This approach demonstrates how organizations can reduce friction in security incident response and off-hours workflows without weakening authentication guarantees. Exploiting AWS IAM Eventual Consistency (5 minute read) AWS is a highly distributed system, which can lead to delays as changes propagate across the system. This is known as eventual consistency. This window can be exploited to recreate deleted or disabled AWS access keys within a nearly four-second window while the changes propagate. Disallow the principal from accessing via an SCP, wait 4 seconds, and then use the standard deletion process to prevent an attacker from exploiting eventual consistency. Other IAM operations, such as policy attachment and detachment, and role assumption, share this vulnerability. 🧑‍💻 Launches & Tools claude-code-transcripts (4 minute read) claude-code-transcripts is a Python CLI tool that converts Claude Code sessions into detailed, shareable HTML pages capturing prompts, tool calls, thinking traces, and commits. The tool supports both local Claude Code sessions and Claude Code for web via a reverse-engineered private API. It is useful for maintaining audit trails of AI-assisted development decisions and evaluating prompting strategies across coding agent workflows. Orion Security (Product Launch) Orion provides an AI-driven data protection platform that maps how sensitive information moves across an organization, detects risky or abnormal data flows in real time, and automatically prevents leaks and insider-driven data loss across modern cloud environments. Spicedb (GitHub Repo) Spicedb is an open-source, Google Zanzibar-inspired database for scalably storing and querying fine-grained authorization data. 🎁 Miscellaneous Mozilla Announces Switch to Disable All Firefox AI Features (2 minute read) Following user backlash, Mozilla announced that it will be adding a toggle to delay current and future AI features. Along with this toggle, there will be an AI control panel where users can selectively enable or disable specific features. Features will begin enabled in the AI control panel until users choose to disable them if they do not use the "Block AI Enhancements" toggle. Apple's New iPhone and iPad Security Feature Limits Cell Networks From Collecting Precise Location Data (2 minute read) Apple has announced a new feature for select iPhones and cellular-enabled iPads that limits the precision of location data shared with a customer's cell carrier. Applications that a user has granted precise location data and emergency calls will still have access to the user's precise location. Nitrogen ransomware is so broken even the crooks can't unlock your files (2 minute read) Ransomware gang Nitrogen shipped an ESXi encryptor with a fatal bug that corrupted its own Curve25519 public key, making decryption mathematically impossible even if victims pay. The slipup turns a profit-driven campaign into pure destruction: criminals earn nothing while organizations are left with unrecoverable hypervisors and costly rebuilds. ⚡ Quick Links Step Finance says compromised execs' devices led to $40M crypto theft (2 minute read) Solana-based DeFi platform Step Finance lost $40 million in digital assets after hackers compromised executives' devices and drained multiple treasury wallets. Sudo maintainer, handling utility for more than 30 years, is looking for support (2 minute read) Sudo's sole maintainer, Todd C. Miller, has been seeking sponsorship since losing corporate backing in February 2024, raising concerns about the long-term sustainability of a foundational Unix/Linux security utility. OpenClaw's AI 'skill' extensions are a security nightmare (2 minute read) Security researchers warn that OpenClaw's booming "skill" marketplace has become a major attack surface. Love TLDR? Tell your friends and get rewards! Share your referral link below with friends to get free TLDR swag! https://refer.tldr.tech/dc263000/8 Track your referrals here. Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us. Want to work at TLDR? 💼 Apply here, create your own role or send a friend's resume to jobs@tldr.tech and get $1k if we hire them! TLDR is one of Inc.'s Best Bootstrapped businesses of 2025. If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please unsubscribe.