All news with #data exfiltration tag

⚠️ Security researchers disclosed that an npm package, eslint-plugin-unicorn-ts-2, embeds a deceptive prompt aimed at biasing AI-driven security scanners and also contains a post-install hook that exfiltrates environment variables. Uploaded in February 2024 by user "hamburgerisland", the trojanized library has been downloaded 18,988 times and remains available; the exfiltration was introduced in v1.1.3 and persists in v1.2.1. Analysts warn this blends familiar supply-chain abuse with deliberate attempts to evade LLM-based analysis.

🐛 The Glassworm campaign has resurfaced in a third wave, with 24 new malicious VS Code-compatible extensions appearing on both the Microsoft Visual Studio Marketplace and OpenVSX. Once installed, these extensions push updates that deploy Rust-based implants, use invisible Unicode to evade review, exfiltrate GitHub, npm, and OpenVSX credentials and cryptocurrency wallet data, and deploy a SOCKS proxy and an HVNC client for stealthy remote access. Researchers say attackers inflate download counts to blend with legitimate projects and manipulate search results; both vendors have been contacted about continued bypasses.

🔐 A new wave of the self‑replicating npm worm, dubbed Sha1‑Hulud: The Second Coming, impacted over 800 packages and 27,000 GitHub repositories, targeting API keys, cloud credentials, and repo authentication data. The campaign backdoored packages, republished malicious installs, and created GitHub Actions workflows for command‑and‑control while dynamically installing Bun to evade Node.js defenses. GitGuardian reported hundreds of thousands of exposed secrets; PyPI was not affected.

🔒 The Royal Borough of Kensington and Chelsea (RBKC) has warned residents their data may have been compromised after unusual activity linked to a shared IT service provider was detected earlier this week. The council says it has evidence that some historical data was copied and removed and that the material could end up in the public domain. RBKC urged residents to be vigilant for phishing and social‑engineering attempts via email, text and phone while services are restored, and warned disruption could continue for at least two weeks as investigations and recovery proceed.

🔒 Singaporean researchers demonstrated how inexpensive offline dashcams can be weaponized into a self‑propagating surveillance network. They identified common weaknesses — default or hardcoded Wi‑Fi credentials, exposed services (FTP/RTSP), MAC‑spoofing and replay attacks — that allow attackers to download video, audio, timestamps and GPS metadata. The team showed mass compromise is feasible and offered mitigation steps for vendors and drivers.

🐛 Security teams have warned of a rapidly spreading secret-stealing worm, Shai-Hulud, that has resurfaced in the npm ecosystem and already infected hundreds of packages with tens of millions of downloads. First seen in September, attackers hijack developer accounts to publish trojanized packages that exfiltrate AWS keys and GitHub tokens to attacker-controlled repositories. Vendors including Wiz Security and Mondoo report explosive scaling—hundreds of new repos discovered every 30 minutes—and urge urgent dependency audits. Recommended mitigations include rotating credentials, disabling npm postinstall scripts in CI, enforcing MFA, pinning versions, and using tools like Safe-Chain to block malicious packages.

⚠️ Researchers at Wiz, JFrog and others are tracking a renewed campaign of the Shai‑Hulud credentials‑stealing worm spreading through the npm registry and GitHub. The new Shai‑Hulud 2.0 executes during the preinstall phase, exfiltrates developer and CI/CD secrets to randomized repositories, and injects malicious payloads into other packages. Widely used modules, including @asyncapi/specs, Zapier, Postman and others, have been compromised, prompting immediate remediation steps for affected developers and organizations.

🔍 Researchers from the University of Vienna and SBA Research compiled a list of 3.5 billion active WhatsApp mobile numbers and associated personal details by abusing a contact-discovery API that lacked rate limiting. Running from a single server with five authenticated sessions, they queried more than 100 million numbers per hour and tested a generated space of 63 billion potential numbers. The team responsibly reported the issue and WhatsApp has since added rate-limiting protections. Although the researchers did not publish the dataset, their findings illustrate how unprotected APIs enable large-scale scraping and privacy exposure.

🔓 A threat actor claims to have stolen 2.3 terabytes of data from IT services provider Almaviva and posted the material on a dark web forum. The leak reportedly includes confidential documents and sensitive information related to FS Italiane Group, such as internal shares, technical documentation, contracts, HR and accounting archives. D3Lab's Andrea Draghetti says the files are recent (Q3 2025) and not recycled from a 2022 Hive incident. Almaviva confirmed a breach, says affected systems were isolated, and that authorities have been notified while an investigation continues.

🔒 A threat actor claims to have stolen 2.3 terabytes of data from Almaviva, the IT services provider linked to Italy's state-owned rail operator, FS Italiane Group. The actor posted the alleged dump on a dark web forum and described the contents as confidential documents, technical files, contracts, HR and accounting archives. Almaviva confirmed a cyberattack affecting corporate systems, said some data were taken, and reported it to national authorities while an investigation is ongoing.

🛡️ Gartner warns that by 2030 more than 40% of organizations will experience security and compliance incidents caused by employees using unauthorized AI tools. A survey of security leaders found 69% have evidence or suspect public generative AI use at work, increasing risks such as IP loss and data exposure. Gartner urges CIOs to set enterprise-wide AI policies, audit for shadow AI activity and incorporate GenAI risk evaluation into SaaS assessments.

🔐 Eurofiber Group said its French subsidiary, Eurofiber France, experienced a breach after attackers exploited a software vulnerability to access its ticket management system and exfiltrate data. The company stated that sensitive bank details and other critical data were not affected. The incident impacted the ATE cloud portal and regional sub-brands (Eurafibre, FullSave, Netiwan, Avelia). Eurofiber says it closed the vulnerability, strengthened controls and engaged cybersecurity experts to support customers.

🔒 A threat actor exploited a Samsung Android image-processing zero-day, CVE-2025-21042, to deliver a previously unknown spyware called LandFall using malicious DNG images sent over WhatsApp. Researchers link activity back to at least July 23, 2024, and say the campaign targeted select Galaxy models in the Middle East. Unit 42 found a loader and a SELinux policy manipulator in the DNG files that enabled privilege escalation, persistence, and data exfiltration. Users are advised to apply patches promptly, disable automatic media downloads, and enable platform protection features.

🔒 A now-patched out-of-bounds write in libimagecodec.quram.so (CVE-2025-21042, CVSS 8.8) was used as a zero-click vector to deliver commercial-grade Android spyware known as LANDFALL. The campaign appears to have used malicious DNG images sent via WhatsApp to extract and load a shared library that installs the spyware. Unit 42 links activity to targets in Iraq, Iran, Turkey, and Morocco and notes samples dating back to July 2024. The exploit also deployed a secondary module to modify SELinux policy for persistence and elevated privileges.

🔒 The proliferation of age and identity verification laws is forcing organizations to retain sensitive government-issued IDs, increasing breach risk. A recent Discord incident exposed ID images via a compromised third-party provider, showing how regulatory mandates can create high-value data stores. The article advises that MSPs and affected organizations adopt natively integrated platforms and a single-agent, single-console approach to reduce attack surface, simplify operations and centralize visibility to mitigate these new risks.

🛡️ Cybersecurity researchers disclosed seven vulnerabilities in OpenAI's GPT-4o and GPT-5 models that enable indirect prompt injection attacks to exfiltrate user data from chat histories and stored memories. Tenable researchers Moshe Bernstein and Liv Matan describe zero-click search exploits, one-click query execution, conversation and memory poisoning, a markdown rendering bug, and a safety bypass using allow-listed Bing links. OpenAI has mitigated some issues, but experts warn that connecting LLMs to external tools broadens the attack surface and that robust safeguards and URL-sanitization remain essential.

🔍 Researchers at Koi Security uncovered a campaign, PhantomRaven, that has contaminated 126 packages in Microsoft's npm repository by embedding invisible HTTP URL dependencies. These remote links are not fetched or analyzed by typical dependency scanners or npmjs.com, making packages appear to have 0 Dependencies while fetching malicious code at install time. The attackers aim to exfiltrate developer credentials and environment details, and they also exploit AI hallucinations to create plausible package names.

🔒 Dentsu disclosed a cybersecurity incident at its U.S. subsidiary Merkle, saying attackers accessed and stole files containing client, supplier, and employee information. The company detected abnormal activity, proactively took certain systems offline, and initiated incident response procedures while engaging third‑party responders. A circulated memo indicated exposed payroll and bank details, salary and National Insurance numbers, and personal contact details; impacted individuals are being notified and authorities in affected countries have been informed. Dentsu said Japan-based systems were not impacted and that the full scope and financial impact remain under investigation; no ransomware group has claimed responsibility so far.

🔒 Coveware reports ransomware payment rates have fallen to a record low — just 23% of victims paid in Q3 2025, continuing a multi-year decline from 28% in Q1 2024. Over 76% of incidents now involve data exfiltration, and theft-only cases see payments drop to 19%. Average and median ransoms fell to $377,000 and $140,000, respectively, as attackers pursue more targeted victims.

🔒SentinelOne reported a one-day spear-phishing campaign on October 8 that targeted aid organisations and Ukrainian regional administrations. The operation, named PhantomCaptcha, delivered a WebSocket RAT hosted on Russian-owned infrastructure and used weaponized PDFs and a fake Cloudflare CAPTCHA to trick victims into executing PowerShell. The multi-stage chain enabled data exfiltration, persistent remote access and potential deployment of additional malware.