< ciso
brief />
Tag Banner

All news with #api abuse tag

35 articles

Dormant GitHub Accounts Exploited to Scrape Orgs

🔎 Datadog Security Labs warns of coordinated campaigns using dormant or compromised GitHub accounts and exposed personal access tokens to enumerate organizations via the GitHub API. Operators use automated scraping tools, aged "ghost" accounts, and legitimate-sounding user agents to blend into normal API traffic, primarily collecting public data but occasionally cloning private repositories. The activity leverages unauthenticated API surfaces and GraphQL queries to map repos, memberships, followers, and other artifacts for reconnaissance.
read more →

GitHub API abuse fuels enterprise reconnaissance

🔎 Datadog Security Research has tracked sustained abuse of GitHub’s public APIs where automated scanners, leaked credentials, and ghost accounts map organizations and members. Attackers harvest source code, secrets, and pipeline data by blending requests into normal traffic and leveraging the /graphql endpoint and REST org-mapping calls. Detection requires auditing user agents, token types, and unusual actor behavior, while enterprises should enable audit log streaming, MFA, access reviews, and credential scanning.
read more →

AI-enabled browser ransomware risk on Android

🛡️ Check Point Research discovered a Python Flask sample where an AI model connected a legitimate browser API to ransomware-like behavior. The model generated code invoking showDirectoryPicker(), leveraging the File System Access API to request folder access and modify files without installation. A proof-of-concept showed how a fake web app could encrypt photos in a chosen directory, and Android Chrome’s full API support makes DCIM access possible. Defenders should scrutinize folder-access prompts, avoid granting write access to primary photo libraries, and rely on anti-phishing controls to block malicious pages.
read more →

Research shows free apps turn smart TVs into proxies

🔍 A reverse-engineered iOS SDK from Bright Data reveals free apps can turn devices, including always-on smart TVs, into exit nodes that relay web-scraping traffic. The SDK, embedded behind opt-in screens, uses peer channels with weak authentication and can bypass VPNs on iOS, allowing background relays that consume home bandwidth. Blocking a handful of SDK domains at the router or scanning apps on managed devices can stop the behavior.
read more →

Android Malware Signs Victims Up to Carrier Billing

📱 Zimperium's zLabs uncovered a 10-month Android malware campaign that used nearly 250 fake apps to enroll victims in premium carrier billing services across Malaysia, Thailand, Romania and Croatia. The operation, running from March 2025 to January 2026, included three variants that ranged from cookie- and SMS-harvesting to a fully automated subscription flow against DiGi. The most advanced variant abused Google's SMS Retriever API, forced traffic onto cellular, loaded hidden carrier billing pages and intercepted one‑time passwords. Users are advised to avoid sideloading apps, verify installed apps and review mobile bills for unexplained charges.
read more →

Mass Credential Theft via CVE-2025-55182 Targets Next.js

🔓 Cisco Talos has linked a large-scale credential harvesting campaign to a threat cluster tracked as UAT-10608 that exploited CVE-2025-55182 in React Server Components and the Next.js App Router to breach at least 766 hosts. The intruders deployed a multi-stage dropper that collected environment variables, SSH keys, cloud metadata credentials, API keys, and other secrets before aggregating them in a password-protected web GUI called NEXUS Listener. Researchers accessed an exposed instance and observed a broad array of stolen items, including Stripe keys, GitHub tokens, AI platform keys, webhook secrets, and database connection strings. Organizations are urged to patch vulnerable Next.js deployments, enforce least privilege, enable IMDSv2, rotate credentials, and implement secret scanning.
read more →

APIs Are the New Perimeter: How Security Leaders Secure Them

🔒 APIs are increasingly the enterprise perimeter, and recent breaches show traditional protections often miss API-layer abuse. Security teams report attacks that exploit business logic or use stolen credentials, which EDR and WAF tools can treat as legitimate traffic. CISOs are adopting API governance, centralized inventories, identity-aware access controls, and API gateways integrated into CI/CD to enforce least-privilege and reduce misconfiguration risk. As agentic AI and automated agents proliferate, stronger token handling, credential rotation, and real-time behavioral monitoring are becoming essential.
read more →

Lloyds Bank bug exposed customers' transaction data

🔓 Lloyds Banking Group has disclosed a software glitch that briefly allowed some mobile app users to see other customers' transactions. The bank told the UK Parliament’s Treasury Committee the problem followed an overnight IT change and a defect in the design of the code used to update the API behind the app. Of 21.6 million app users, 447,936 may have been shown another user's transactions and 114,182 may have viewed transaction details during the incident. Lloyds said no full account access or customer losses were identified and that it notified regulators, including the ICO.
read more →

Ajax systems flaw exposed fan data and enabled ticket hijack

🔒 Ajax Amsterdam disclosed that a hacker exploited vulnerabilities in its IT systems, allowing access to some fan data and control over ticket transfers. The club said only email addresses for a few hundred people were viewed and that fewer than 20 stadium-banned individuals had names, emails and dates of birth exposed. RTL journalists, tipped by the attacker, independently verified the flaws and demonstrated the ability to transfer season tickets, modify stadium bans and access broad fan data via APIs and shared keys. Ajax has engaged external experts, patched the vulnerabilities, notified authorities and advised fans to remain vigilant for impersonation attempts.
read more →

Threat Actors Mass-Scan Salesforce Experience Cloud Sites

🔍Salesforce has warned that a threat actor is using a customized version of the open-source tool AuraInspector to mass-scan publicly accessible Experience Cloud sites and exploit overly permissive guest user configurations. The modified tool can both identify vulnerable API endpoints and extract data from misconfigured environments without authentication. Salesforce says the activity targets customer configuration weaknesses rather than a platform flaw and urges customers to review guest user settings and follow recommended configuration guidance.
read more →

ShinyHunters Claims Ongoing Salesforce Aura Data Theft

🔒 Salesforce warns customers that attackers are targeting misconfigured Experience Cloud sites by abusing the /s/sfsites/aura API, allowing guest users to access more data than intended. Threat actors have used a modified AuraInspector scanner and bespoke exfiltration tools; the extortion group ShinyHunters claims responsibility and reports hundreds of compromises. Salesforce stresses this stems from customer guest‑user settings, not a platform vulnerability, and provides immediate mitigation guidance.
read more →

Protecting SaaS from Bot Attacks with SafeLine WAF

🔒 SafeLine is presented as a self-hosted web application firewall that inspects every HTTP request and emphasizes behavioral and semantic analysis rather than simple signature matching. It combines a Semantic Analysis Engine, anti-bot challenges, rate limiting and identity controls to reduce fake sign-ups, credential stuffing, scraping and abusive automation. Deployable as a reverse proxy, it gives SaaS teams control over logs, latency and compliance while providing a dashboard for tuning and visibility.
read more →

Exposed Google API keys can now reveal Gemini AI data

🔓 Google Cloud API keys that were once treated as non-sensitive can now authenticate to the Gemini generative AI assistant, creating a new attack path where keys embedded in client-side JavaScript expose private assistant data. TruffleSecurity discovered nearly 2,800 live, publicly accessible keys across sectors — including financial firms and a Google product — by scanning the November 2025 Common Crawl. Attackers who copy exposed keys can call Gemini endpoints to retrieve data or generate costly API usage; developers should audit projects for the Generative Language API, rotate exposed keys immediately, and use detection tools to prevent abuse.
read more →

Marquis Sues SonicWall Over Cloud Backup Breach Lawsuit

🔒 Marquis Software Solutions has filed suit against SonicWall, alleging gross negligence and misrepresentation after a ransomware attack on August 14, 2025 that followed a compromise of a SonicWall firewall. Investigators say the attacker accessed configuration backups stored in SonicWall’s MySonicWall cloud—an exposure Marquis attributes to an API code change in February 2025—and used configuration data and AES-256-encrypted credentials to bypass MFA. The stolen files included extensive personal and financial information; Marquis says the incident disrupted operations for 74 U.S. banks and forced the firm to defend more than 36 consumer class actions while seeking monetary damages, indemnification and equitable relief.
read more →

Exposed LLM Endpoints Increase Attack Surface and Risk

🔐 Modern LLM deployments expand rapidly, and each new endpoint increases the attack surface, often with implicit trust and excessive permissions. Internal APIs, long-lived tokens and misconfigurations frequently expose endpoints that act as pivot points to databases, tools and cloud services. Organizations should apply least-privilege, just-in-time access and automated secrets rotation to limit damage. Solutions like Keeper help implement endpoint privilege management.
read more →

Google Disrupts IPIDEA Residential Proxy Network at Scale

🔒 Google Threat Intelligence Group, working with industry partners, disrupted the IPIDEA residential proxy network by taking down domains, infected-device management systems, and proxy-traffic routing infrastructure. The operation targeted SDKs embedded in at least 600 trojanized Android apps and over 3,000 malicious Windows binaries, which collectively enrolled about 6.7 million devices worldwide. GTIG reported that more than 550 distinct threat groups abused IPIDEA for account takeovers, credential theft, botnet control, and DDoS support; users should avoid untrusted VPNs and apps that pay for bandwidth.
read more →

Crooks Hijack and Resell Exposed Corporate AI Infrastructure

🔒 Researchers at Pillar Security warn of large-scale campaigns that probe and exploit exposed LLM and MCP endpoints to steal compute, exfiltrate context data, and resell API access. In recent weeks, honeypots captured roughly 35,000 attack sessions linked to Operation Bizarre Bazaar and a parallel MCP reconnaissance effort that leverage Shodan/Censys scanners, automated validators, and a criminal marketplace. Threat actors target unprotected Ollama, vLLM and OpenAI-compatible endpoints and are marketing discounted access via a site called The Unified LLM API Gateway. Organizations must require authentication, audit MCP exposure, apply rate limits, block known malicious ranges, and treat AI endpoints with the same rigor as APIs and databases immediately.
read more →

Hackers Hijack Exposed LLM Endpoints in Bizarre Bazaar

🔒 Researchers at Pillar Security recorded over 35,000 attack sessions in a 40-day window revealing a large-scale operation they call Bizarre Bazaar, an instance of LLMjacking that monetizes exposed LLM endpoints. The campaign targets misconfigured self-hosted models, unauthenticated APIs (notably Ollama on port 11434 and OpenAI-compatible services on port 8000), and publicly accessible MCP servers. Compromised endpoints are used for cryptocurrency mining, reselling API access through a marketplace dubbed silver[.]inc, data exfiltration, and lateral movement into internal systems.
read more →

Hackers Scan Misconfigured Proxies to Reach Paid LLMs

🔍 Threat actors have been probing misconfigured proxy servers to access paid large language model (LLM) endpoints, generating over 80,000 sessions since late December, according to GreyNoise. Attackers used low-noise queries to fingerprint models without triggering alerts and targeted vendors such as OpenAI, Anthropic, Google, Meta, Mistral and others. While GreyNoise reports no observed exploitation or data theft, the scale of enumeration indicates reconnaissance with possible malicious intent. Recommended mitigations include restricting Ollama model pulls to trusted registries, applying egress filtering, blocking known OAST callback domains at DNS, rate-limiting suspicious ASNs, and monitoring JA4 fingerprints.
read more →

Google Sues SerpApi for Malicious Web Scraping Abuse

🔒 Google has filed a lawsuit against the scraping company SerpApi for circumventing security measures and taking copyrighted content that appears in Search results. The complaint alleges SerpApi cloaks its bots, rotates identities, and bombards websites to harvest licensed images and real‑time Search data, which it then resells for a fee. Google says it resorted to legal action after technical protections were repeatedly bypassed in order to protect publishers and rightsholders.
read more →