All news with #data exfiltration tag

🔒 CISA has ordered federal civilian agencies to secure systems against MongoBleed (CVE-2025-14847), a high-severity MongoDB Server vulnerability patched on December 19, 2025. The flaw, rooted in how the server uses the zlib compression library, can be exploited by unauthenticated actors to leak credentials, API/cloud keys, session tokens, logs, and PII. An Elastic researcher released a PoC and telemetry shows tens of thousands of potentially vulnerable instances; agencies must patch by January 19, 2026, or apply vendor mitigations or temporarily disable zlib until updates can be deployed.

⚠ A newly disclosed vulnerability, CVE-2025-14847 (dubbed MongoBleed), is being actively exploited to leak sensitive data from MongoDB server memory. The flaw in zlib-based network message decompression lets unauthenticated attackers send malformed compressed packets to read uninitialized heap memory before authentication. Researchers report over 87,000 potentially vulnerable instances worldwide and widespread exposure in cloud environments. Administrators should apply published patches, disable zlib compression as a temporary mitigation, restrict network exposure, and monitor for anomalous pre-auth connections.

🔓 A critical MongoDB vulnerability, tracked as CVE-2025-14847 and dubbed MongoBleed, is being actively exploited to leak in-memory secrets from exposed servers. A public PoC demonstrates how malformed zlib-compressed network messages cause the server to return allocated memory rather than decompressed lengths, exposing credentials, API keys, session tokens, and other sensitive data. Over 87,000 instances were identified as potentially vulnerable on the public internet, and vendors released patches on December 19; administrators should prioritize upgrades or disable zlib compression if immediate upgrades are not possible.

⚠️ Trust Wallet is urging Chrome extension users to update to version 2.69 after a security incident tied to extension v2.68 that resulted in roughly $7 million in stolen cryptocurrency. Security researchers at SlowMist say malicious code in the extension exfiltrated decrypted mnemonic phrases to an attacker-controlled domain by abusing the posthog-js analytics integration. The company has confirmed the impact, pledged refunds, and warned users to avoid unofficial communications; mobile and other browser versions are not affected.

🚨 Trust Wallet confirmed a compromised Chrome extension update released on December 24 led to about $7 million in stolen cryptocurrency after users reported wallets drained. Binance founder Changpeng 'CZ' Zhao said Trust Wallet will cover losses and described affected funds as 'SAFU' while an investigation proceeds. Researchers found malicious code (4482.js) in version 2.68.0 that appeared to exfiltrate seed phrases to an external endpoint; users were urged to disable the extension and upgrade to version 2.69.

🔒 Several users reported funds drained from the Trust Wallet Chrome extension after a compromised update (v2.68.0) released on December 24. Researchers found malicious, obfuscated code in a bundled file (4482.js) that exfiltrated seed phrases to api.metrics-trustwallet[.]com, and attackers also deployed a phishing site (fix-trustwallet[.]com) soliciting recovery seeds. Trust Wallet published a patched v2.69, urged users to disable or update the extension, and advised anyone with exposed seeds to move assets to new wallets and contact support.

🔒 Two Chrome extensions in the Web Store, both published as Phantom Shuttle, are malicious plugins that hijack browser traffic and have been active since at least 2017, researchers report. Targeting users in China, the extensions pose as proxy and network-speed tools and prepend obfuscated code to the jQuery library to route requests through attacker-controlled proxies using hardcoded credentials and a PAC script. The plugins dynamically reconfigure Chrome proxy settings and route traffic for over 170 high-value domains, intercepting HTTP authentication challenges to capture form credentials, session cookies and API tokens while excluding local networks and the command-and-control domain to limit detection. At the time of reporting the extensions remained in Chrome's official marketplace; users are advised to install only extensions from reputable publishers and review requested permissions carefully.

🔐 Security researchers uncovered 'lotusbail,' a malicious npm package that impersonates the legitimate @whiskeysockets/baileys WhatsApp Web client while quietly exfiltrating messages, credentials, and contact data from developer environments. The trojanized wrapper amassed over 56,000 downloads and operated for roughly six months before Koi Security flagged its behavior. Stolen information was encrypted and layered with multiple obfuscation techniques, and the malware leveraged WhatsApp multi-device pairing to keep an attacker device linked even after the package was removed.

🎵 Spotify is investigating claims by a collective of pirate activists who say they accessed 256 million rows of metadata and 86 million audio files — roughly 300 terabytes in total. The activists report that metadata, but not audio files, was made publicly available via Anna’s Archive, which frames the release as cultural preservation. Spotify has confirmed a probe into an incident in which a third party allegedly scraped public metadata and bypassed DRM protections to access certain audio files.

🔒 Coupang disclosed a data breach impacting 33.7 million customer accounts, exposing names, phone numbers, email addresses, delivery address books and purchase histories. The company detected unusual activity on November 6, confirmed a breach on November 18 and publicly disclosed the incident on November 29; attackers had access from June 24 to November 8. A former employee who retained access keys is the prime suspect. The incident highlights gaps where non‑mandated data remained unencrypted and underscores the need for stronger voluntary protections.

💰 Threat actors linked to North Korea stole at least $2.02 billion in cryptocurrency during 2025, a 51% increase year‑over‑year that made DPRK actors the leading source of global crypto theft. Chainalysis attributes much of the total to a February compromise of Bybit, estimated at $1.5 billion and linked to the cluster TraderTraitor. The report details systematic laundering across DeFi, mixers, bridges and OTC services, and an expanded use of IT infiltration schemes such as Wagemole to gain privileged access and facilitate high‑impact thefts.

🛡️ Check Point Research links a sustained espionage campaign to the China-aligned cluster known as Ink Dragon (also tracked as Jewelbug, CL-STA-0049, Earth Alux/REF7707) that has targeted government and telecommunications organisations across Europe, Asia and Africa since at least March 2023. The actor exploits exposed web applications and predictable ASP.NET machine keys to drop web shells and install a custom ShadowPad IIS Listener, turning compromised servers into resilient C2 relays. Operators deploy a modular backdoor FINALDRAFT (aka Squidoor), alongside NANOREMOTE, loaders and tooling such as VARGEIT and Cobalt Strike to enable stealthy lateral movement, credential theft and high-throughput exfiltration.

🔍 A prolific China-linked group known as Ink Dragon is exploiting misconfigured public-facing servers in European government networks to create relay nodes, Check Point reports. After probing IIS, SharePoint and other web services for configuration flaws, operators quietly harvest credentials, reuse administrator and service accounts, and move laterally using Remote Desktop to blend into normal traffic. They install backdoors and credential-stealing implants, and deploy a customized module and a new FinalDraft backdoor to maintain long-term access and obfuscate command channels.

🔒 Security researchers have found that the popular Chrome extension Urban VPN Proxy (featured in the Chrome Web Store and used by millions) contained scripts that intercepted AI chat conversations and transmitted them to company-controlled analytics servers. The functionality, introduced in version 5.5.0 on July 9, 2025, allegedly runs regardless of whether the VPN is active and cannot be disabled via settings. Koi's analysis says prompts, responses, timestamps and session identifiers were captured and compressed before exfiltration. The same capability was reportedly present in seven related extensions from the same publisher, potentially affecting more than 8 million users across Chrome and Edge.

🔒 Researchers at Koi found that the popular Urban VPN Proxy browser extension injects scripts to capture full AI chat conversations — including prompts and responses — then exports them to the extension vendor's backend. The monitoring runs even when the VPN is disabled and activates on major platforms such as ChatGPT, Claude, Gemini, Perplexity and Grok. For organizations that paste internal code, data or research into AI tools, this creates a significant data-theft risk outside corporate controls.

🔍 Elastic Security Labs has detailed a Windows backdoor named NANOREMOTE that leverages the Google Drive API to stage payloads and exfiltrate data, making detection more difficult. The C++ implant implements a robust task manager for queued uploads and downloads with pause, resume and cancel capabilities and exposes 22 command handlers for reconnaissance, execution and file transfer. Researchers also observed a WMLOADER dropper and an uploaded artifact linking NANOREMOTE to the FINALDRAFT family, indicating likely code reuse.

🔒 Marquis Software Solutions confirmed a breach affecting more than 780,000 individuals after attackers exploited a SonicWall firewall vulnerability on 14 August. The company shut down affected systems and engaged external cybersecurity specialists; a late-October review found unauthorized actors copied files containing personal and financial data from certain business customers. Marquis is offering free credit monitoring and has implemented multiple security controls while its investigation continues, and it reports no evidence so far that the stolen data has been posted online.

⚠️Researchers disclosed more than 30 vulnerabilities in AI-integrated IDEs in a report dubbed IDEsaster by Ari Marzouk (MaccariTA). The issues chain prompt-injection with auto-approved agent tooling and legitimate IDE features to achieve data exfiltration and remote code execution across products like Cursor, GitHub Copilot, Zed.dev, and others. Of the findings, 24 received CVE identifiers; exploit examples include workspace writes that cause outbound requests, settings hijacks that point executable paths to attacker binaries, and multi-root overrides that trigger execution. Researchers advise using AI agents only with trusted projects, applying least privilege to tool access, hardening prompts, and sandboxing risky operations.

🔔 French home improvement retailer Leroy Merlin has notified customers in France that certain personal data may have been exposed in a cyberattack, including full names, phone numbers, email and postal addresses, dates of birth and loyalty program details. The company says no banking data or account passwords were involved and that it moved quickly to block unauthorized access and contain the incident. The notice warns customers to be vigilant against phishing and impersonation attempts; BleepingComputer confirmed the notification is genuine and has sought further details. No ransomware group had claimed responsibility at the time of reporting.

🛡️ A seven-year browser extension campaign attributed to the actor known as ShadyPanda has infected 4.3 million Chrome and Edge users by operating legitimately for years and then pushing malicious updates. A Koi Security report describes a remote code execution backdoor that affected roughly 300,000 users across five extensions, including Clean Master, and a parallel spyware push via Edge extensions such as WeTab. Malicious updates enabled hourly downloads of arbitrary JavaScript, extensive logging of site visits, exfiltration of encrypted browsing histories, and comprehensive browser fingerprinting.