All news with #data exfiltration tag

🔍 A 19-year-old dual U.S.-Estonian citizen arrested in Finland faces federal charges in the United States, accused of acting as a prolific member of the Scattered Spider hacking collective under the alias Bouquet. Prosecutors allege he helped extort millions through multiple breaches, including a March 2023 intrusion when he was 16 and a May 2025 attack on a multibillion-dollar luxury retailer that prompted an $8 million ransom demand and over $2 million in remediation costs.

🔒 The personal health data of more than 500,000 UK Biobank volunteers was briefly listed for sale on Chinese e-commerce platforms, prompting removal of the adverts and joint action by UK and Chinese authorities. UK Biobank says the datasets were de-identified and did not include direct identifiers such as names or NHS numbers, and there is currently no evidence the data were purchased. The organisation has suspended researcher access, restricted downloads on its cloud research platform and launched a forensic investigation into misuse by researchers at three academic institutions.

🔒 Symantec researchers observed Trigona ransomware affiliates using a custom command-line exfiltration utility, uploader_client.exe, in March to siphon high-value documents to a hardcoded server. The tool supports parallel uploads, TCP rotation after 2GB, selective file-type exclusion, and an authentication key to control access to stolen data. The shift from public utilities like Rclone appears intended to reduce detection during double-extortion operations. Symantec has published IoCs to aid defenders.

⚠️ Cybersecurity researchers warn that unknown actors pushed malicious images to the official checkmarx/kics Docker Hub repository, overwriting tags and introducing a non-official release. Socket's analysis shows the bundled KICS binary was modified to collect, encrypt, and exfiltrate uncensored scan reports to an external endpoint, posing a high risk for IaC scans that may include credentials. Related Checkmarx Microsoft Visual Studio Code extensions (versions 1.17.0 and 1.19.0) were also found to contain code that downloads and runs a remote addon via the Bun runtime using a hardcoded GitHub URL without integrity checks. Organizations that used the affected images or extensions should assume exposed secrets are compromised and treat the event as a broader supply chain compromise.

🔒 Symantec and Carbon Black attribute a new Linux build of the GoGra backdoor to the threat actor known as Harvester, observing deployments likely targeting entities in South Asia. The implant abuses Microsoft Graph and Outlook mailboxes as a covert C2 channel and is delivered via ELF binaries disguised as PDF lures. Incoming tasking emails (subject prefix "Input") contain Base64-encoded shell commands that the backdoor decrypts and runs via /bin/bash, then exfiltrates results as emails labeled "Output" and removes the original messages.

🔒 A new NGate variant is delivered inside a trojanized version of HandyPay, a legitimate NFC payments app, to steal payment card data from Android devices. Researchers at ESET say the campaign has been active since November 2025 and primarily targets users in Brazil, using fake Google Play pages and a malicious APK distribution chain. The trojan asks victims to set it as the default NFC payment app, collect card PINs and card taps, and exfiltrates data via a hardcoded email address.

🔔 Cybersecurity researchers have uncovered a coordinated campaign of 108 malicious Google Chrome extensions that share a common command-and-control backend and have accumulated roughly 20,000 installs. The add-ons, published under five publisher identities, exfiltrate credentials and session data, inject ads and arbitrary JavaScript, and can force-load attacker-controlled sessions. Many abuse OAuth2, strip security headers, and periodically harvest Telegram Web sessions. Users should remove suspicious extensions and log out of Telegram Web sessions to invalidate any stolen tokens.

🔒 Basic-Fit, one of Europe's largest gym operators, disclosed unauthorized access to the system that records members' visits and said about 1 million members across the Netherlands, Belgium, Luxembourg, France, Spain and Germany were affected. The intrusion was detected and stopped within minutes, but investigators determined the attacker exfiltrated data including full name, address, email, phone number, date of birth, bank account details and membership information. Franchise-held customer records were stored separately and were not exposed. Basic-Fit says no identification documents or account passwords were accessed, and the company has notified regulators and continues to monitor the situation with external experts.

🔒 As AI tools spread inside organizations without formal approval, employees increasingly use generative platforms and third‑party models that operate outside IT visibility. That creates uncontrolled data exposure, expanded attack surfaces, and identity risks when sensitive information or credentials are shared. Organizations should adopt clear AI usage policies, approved secure alternatives, enhanced monitoring, and targeted employee training to enable safe, productive AI usage.

🔍LinkedIn’s massive trove of user information is facing scrutiny after a small European firm behind the BrowserGate campaign alleged that hidden code on linkedin.com scans visitors’ machines for installed software and transmits the inventory to LinkedIn and third parties. The group, which uses names including Teamfluence and Fairlinked and is led by an individual using the name Steven Morrell, framed the activity as an “illegal” search and a form of corporate espionage. LinkedIn denied core accusations, said it discloses browser-extension scanning in its privacy policy to detect abuse and protect site stability, and declined to confirm whether the data is used only for those purposes.

🔍 A German privacy group, Fairlinked, reports that LinkedIn injects a large JavaScript payload into Chrome-based browsers that scans for over 6,000 installed extensions and collects device signals on many interaction events. The code allegedly harvests extension presence, CPU/memory/screen and other metadata and ties those fingerprints to logged-in identities. LinkedIn disputes the characterisation, saying the checks target scraping and policy-violating extensions. Users are advised to consider non-Chrome browsers and reduce extension exposure to limit profiling.

🔒 Researchers at Noma's Threat Research Team have disclosed a critical vulnerability, GrafanaGhost, that enables attackers to silently extract sensitive enterprise data from Grafana environments. The exploit chains application and AI weaknesses — including flawed URL validation and indirect prompt injection — to transfer data to attacker servers without credentials or user interaction. Built-in guardrails can be bypassed with simple prompt tricks and protocol-relative URLs, allowing automatic background exfiltration that leaves little trace.

🛡️ Researchers disclosed a critical issue in Grafana, dubbed GrafanaGhost, that enables zero‑click exfiltration of sensitive telemetry and business data via AI‑powered dashboards. Noma Security reported the chained exploit, which combines indirect prompt injection and a URL validation bypass; Grafana validated the report and released a patch. The attack abuses protocol‑relative URLs and model keywords to trick AI into sending data to attacker servers. Organizations should patch, restrict img‑src, and enforce egress controls.

⚠ SafeDep researchers disclosed 36 malicious npm packages masquerading as Strapi v3 plugins that execute payloads via the postinstall hook. Uploaded by four sockpuppet accounts over 13 hours, the packages weaponized Redis and PostgreSQL to deploy reverse shells, harvest credentials, and install a persistent implant targeting a hostname named prod-strapi. The postinstall script runs with the installing user's privileges, creating acute risk for CI/CD pipelines and containers. Users who installed any listed package are advised to assume compromise and rotate all credentials.

🔍 LinkedIn was found to inject hidden JavaScript that fingerprints visitors' browsers, testing for over 6,000 Chrome extensions and collecting device and system details such as CPU cores, memory, screen resolution, timezone, battery status, audio information, and storage features. Researchers say the script links extension presence to identifiable profiles; LinkedIn confirms extension detection but insists it is used to stop scraping and protect platform stability. BleepingComputer observed a randomized script file performing the checks but could not verify claims about downstream sharing or commercial use.

🔍 A new report named BrowserGate alleges that LinkedIn injects hidden JavaScript into user sessions to probe browsers for installed extensions and collect device characteristics. BleepingComputer independently observed a randomized script that attempted to detect 6,236 extensions by checking extension resource URLs and also harvested CPU, memory, screen, timezone, battery, audio, and storage details. LinkedIn says it looks for extensions that scrape content or violate its Terms and uses detection to inform defenses and enforcement, while the report warns this scanning could map competitors' customers and enable profiling. The use and sharing of the collected data have not been independently verified.

🔒 The FBI has issued a public service announcement warning Americans about privacy and data-security risks posed by foreign-developed mobile applications, particularly those maintained by Chinese companies. The bureau says some apps may collect extensive personal data — even when only active — and may store information on servers in China or require consent to share data. The FBI recommends disabling unnecessary sharing, updating device software, and installing apps only from official app stores.

🛡️According to the Iranian judiciary's mouthpiece Misan, the exile news portal Iranwire was allegedly breached and a large volume of sensitive material was taken, including correspondence, staff lists, informant identities and other highly confidential records. The site displayed a maintenance notice while continuing to post on social media, and authorities blamed the hacker group Handala, which has been linked to prior operations.

⚠️A security flaw in ChatGPT could be triggered by a single malicious prompt to create a covert exfiltration channel, researchers at Check Point reported. The issue allowed data to be leaked via a DNS side channel from the model’s isolated runtime and was patched by OpenAI on 20 February after disclosure. Check Point demonstrated extraction of uploaded files and private prompts and warned that users copying prompts from public sources could be exposed.

🔐 Researchers at Wiz report that TeamPCP has been harvesting, validating, encrypting and exfiltrating cloud credentials, SSH keys, Kubernetes configs and other development secrets from compromised supply chain components to attacker-controlled domains. The group used typosquatting on PyPI to push credential-stealing malware into packages affecting Trivy, KICS, LiteLLM and Telnyx. Wiz warns this activity appears linked to, or at least shared with, extortion-focused actors such as Lapsus$, and vendors report claims of partnerships with ransomware affiliates, raising the risk of follow-on ransomware campaigns.