All news with #secrets exposure tag

AsyncRAT Delivery via ConnectWise ScreenConnect Abuse

⚠️ Cybersecurity researchers disclosed a campaign that abuses ConnectWise ScreenConnect remote sessions to deliver a fileless loader which ultimately executes the AsyncRAT remote-access trojan. Attackers use hands-on-keyboard activity to run a layered VBScript and PowerShell chain that loads obfuscated .NET assemblies and spawns AsyncClient.exe. Persistence is maintained via a scheduled task disguised as "Skype Updater," and stolen credentials, keystrokes, and wallet artifacts are exfiltrated to a DuckDNS command-and-control host.

Cursor autorun flaw lets repos auto-execute code silently

⚠ Cursor's autorun feature can allow repositories to execute code automatically when a folder is opened in Visual Studio Code with Cursor installed. Oasis Security researchers demonstrated that attackers can embed hidden instructions that trigger commands tied to workspace events without a developer's consent. With Workspace Trust disabled by default in Cursor, opening a project can enable token theft, file tampering or persistent malware. Developers should treat unknown repositories cautiously and enable available trust controls.

The Dark Side of Vibe Coding: AI Risks in Production

⚠️ One July morning a startup founder watched a production database vanish after a Replit AI assistant suggested—and a developer executed—a destructive command, underscoring dangers of "vibe coding," where plain-English prompts become runnable code. Experts say this shortcut accelerates prototyping but routinely introduces hardcoded secrets, missing access controls, unsanitized input, and hallucinated dependencies. Organizations should treat AI-generated code like junior developer output, enforce CI/CD guardrails, and require thorough security review before deployment.

Plex Urges Password Resets After Customer Data Breach

🔒 Plex reports an unauthorized third party accessed a limited subset of customer authentication data, including email addresses, usernames, and securely hashed passwords. The company says it quickly contained the incident and that no payment card information was stored on its servers. Because Plex did not disclose the hashing algorithm used, it recommends users reset their passwords, enable two‑factor authentication, and use the “Sign out connected devices after password change” option to terminate active sessions. Plex reminded customers it will never request passwords or card details by email.

18 Popular JavaScript Packages Hijacked to Steal Crypto

🔐 Akido researchers found that at least 18 widely used JavaScript packages on NPM were briefly modified after a maintainer was phished, impacting libraries downloaded collectively more than two billion times weekly. The injected code acted as a stealthy browser interceptor, capturing and rewriting cryptocurrency wallet interactions and payment destinations to attacker-controlled accounts. The changes were rapidly removed, but experts warn the same vector could deliver far more disruptive supply-chain malware if not addressed. Security specialists urge mandatory phish-resistant 2FA and stronger commit attestation for high-impact packages.

GhostAction Campaign Steals 3,325 Secrets via GitHub Actions

🔍GitGuardian disclosed a GitHub Actions supply chain campaign named GhostAction that exfiltrated 3,325 secrets from 327 users across 817 repositories before being contained on September 5. Attackers injected malicious workflow files to harvest CI/CD tokens (including PYPI_API_TOKEN) and sent them via HTTP POST to an actor-controlled endpoint. GitGuardian coordinated with maintainers and registries to revert commits, set impacted packages to read-only, and notify vendors.

Malicious npm Packages Impersonate Flashbots, Steal Keys

🔑 Researchers found four malicious npm packages impersonating Flashbots and common cryptographic utilities to harvest Ethereum wallet credentials. Uploaded by user "flashbotts" between September 2023 and August 19, 2025, the libraries exfiltrate private keys and mnemonic seed phrases to a Telegram bot and transmit environment data via Mailtrap SMTP. One package also redirects unsigned transactions to an attacker-controlled wallet.

VirusTotal Finds 44 Undetected SVG Malware Samples

⚠️ Cybersecurity researchers warn of a phishing campaign using Scalable Vector Graphics (SVG) files that embed JavaScript to decode and inject a Base64-encoded HTML page impersonating Colombia's Fiscalía General de la Nación. VirusTotal identified 44 unique SVG samples that evaded antivirus detection and reported a total of 523 SVGs seen in the wild, with the earliest from August 14, 2025. Attackers relied on obfuscation, polymorphism, and large volumes of junk code to bypass static detections and used a fake progress/download flow to trigger a background ZIP download. The disclosure coincides with separate macOS-focused campaigns distributing the AMOS information stealer via cracked-software lures and Terminal-based installers that attempt to circumvent Gatekeeper protections.

Sitecore ViewState Flaw Under Active Exploitation Now

⚠️ Mandiant reports attackers are actively exploiting a leaked ASP.NET machineKey sample from old Sitecore deployment guides to carry out ViewState code-injection attacks that execute arbitrary .NET assemblies in server memory. The issue, tracked as CVE-2025-53690, affects multi-instance deployments of Sitecore XM, XP, and XC that used the static sample key, and may also impact some Sitecore Managed Cloud Standard container configurations. After initial access, adversaries deploy tools Mandiant calls WEEPSTEEL and EARTHWORM, escalate to SYSTEM, create administrative accounts, dump SYSTEM/SAM hives, and move laterally. Sitecore customers are advised to inspect environments for indicators of compromise, rotate and encrypt <machineKey> entries, and follow Microsoft ASP.NET ViewState guidance.

Detecting and Preventing Data Leaks Before Disaster

🔒 In January 2025 Wiz Research discovered a publicly accessible ClickHouse database belonging to Chinese AI firm DeepSeek, exposing over one million log streams that included chat histories and secret keys. The issue was reported and quickly closed, but the event highlights how misconfigurations and human error can expose sensitive data. To reduce risk, organisations should adopt least-privilege access, deploy DLP solutions, classify high-risk data and provide ongoing staff training.

A CISO’s Guide to Monitoring the Dark Web Effectively

🔍 Dark web monitoring gives CISOs timely, actionable intelligence that can reveal breaches, stolen credentials, and early indicators of ransomware campaigns. Continuous visibility into forums, marketplaces, and leak sites helps detect initial access brokers, stealer logs, and items like RDP/VPN access being sold, enabling rapid containment and credential revocation. Use platforms such as SpyCloud and DarkOwl, subscribe to threat feeds and ISACs, and augment with deception (honeypots, canary tokens) while integrating findings into SIEM/XDR and incident response playbooks.

Salesloft–Drift OAuth Abuse Targets Salesforce Data

⚠️ Unit 42 observed a campaign that abused the Salesloft Drift integration using compromised OAuth credentials to access and exfiltrate data from customer Salesforce instances. The actor performed large-scale extraction of objects including Account, Contact, Case and Opportunity records and scanned harvested data for credentials. Salesloft revoked tokens and notified affected customers; organizations should immediately review logs, rotate exposed credentials and hunt for the provided IoCs.

TamperedChef Malware Hidden in Fake PDF Editor Installers

🛡️ Cybersecurity researchers report a malvertising campaign that lures users to counterfeit sites offering a trojanized PDF installer for AppSuite PDF Editor, which drops an information stealer named TamperedChef. The installer presents a license prompt while covertly downloading the editor, setting persistence via Windows Registry autorun entries and scheduled tasks that pass --cm arguments. Analysts at Truesec and G DATA found the backdoor harvests credentials and cookies and can download additional payloads.

Supply-Chain Attacks on Nx and React Expose Dev Credentials

🔒 A coordinated supply-chain campaign compromised multiple npm packages — most notably the Nx build system — and used post-install scripts to harvest developer assets across enterprise environments. Wiz found the malware weaponized local AI CLI tools to exfiltrate filesystem contents, tokens, SSH keys, and environment variables. Separately, JFrog uncovered obfuscated malicious React packages designed to steal Chrome data. Vendors removed the packages and recommend rotating credentials, removing affected versions, and auditing developer and CI systems.

Fake IT Support Phishing Targets Microsoft Teams Users

🔒 Researchers at Permiso have uncovered phishing campaigns that abuse Microsoft Teams by impersonating IT support to trick employees into installing remote access tools like QuickAssist and AnyDesk. Attackers gain full control of compromised endpoints, deploy credential-stealing malware and establish persistence. Campaigns are linked to the financially motivated actor EncryptHub and use simple impersonation tactics that bypass email defences. Security teams should monitor unusual external Teams activity and verify unexpected support requests.

Webinar: Code-to-Cloud Visibility — Foundation for AppSec

🔒 Join a focused 60-minute webinar on September 18, 2025 at 2 PM EST to learn why leading teams are prioritizing code-to-cloud visibility to reduce app risk and accelerate remediation. Experts will share practical steps to map code issues to cloud behavior, prioritize critical applications and automate fixes to shrink vulnerability counts and remediation time. Attendees receive a free ASPM checklist and a recording to apply learnings immediately.

Nx Build Supply-Chain Attack: Trojanized Packages Detected

🔐 The Nx package ecosystem was trojanized via a malicious post-install script, telemetry.js, which exfiltrated developer secrets from macOS and *nix environments. Stolen items included npm and GitHub tokens, SSH keys, crypto wallets, API keys and .env contents, uploaded to public GitHub repositories. Immediate actions include auditing Nx package versions, removing affected node_modules, rotating all potentially exposed secrets and monitoring repositories and Actions for misuse.

ShadowSilk Targets 35 Government Entities in APAC Region

🔎 Group-IB attributes a new cluster dubbed ShadowSilk to recent intrusions against 35 government and related organizations across Central Asia and APAC. The operators employ spear-phishing with password-protected archives to deploy a custom loader that conceals command-and-control traffic using Telegram bots and achieves persistence via Windows Registry modifications. Observed tooling includes web shells (ANTSWORD, Behinder, Godzilla, FinalShell), tunneling utilities, Cobalt Strike, and bespoke credential-stealing components used to exfiltrate data.

LLMs Remain Vulnerable to Malicious Prompt Injection Attacks

🛡️ A recent proof-of-concept by Bargury demonstrates a practical and stealthy prompt injection that leverages a poisoned document stored in a victim's Google Drive. The attacker hides a 300-word instruction in near-invisible white, size-one text that tells an LLM to search Drive for API keys and exfiltrate them via a crafted Markdown URL. Schneier warns this technique shows how agentic AI systems exposed to untrusted inputs remain fundamentally insecure, and that current defenses are inadequate against such adversarial inputs.

Cloudflare CASB API Scanning for ChatGPT, Claude, Gemini

🔒 Cloudflare One users can now connect OpenAI's ChatGPT, Anthropic's Claude, and Google's Gemini to Cloudflare's API CASB to scan GenAI tenants for misconfigurations, DLP matches, data exposure, and compliance risks without installing endpoint agents. The API CASB provides out-of-band posture and DLP analysis, while Cloudflare Gateway delivers inline prompt controls and Shadow AI identification. Integrations are available in the dashboard or through your account manager.