Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Latest News

Zimbra Urges Immediate Update to Fix Critical Classic Web Client XSS Vulnerability

  Zimbra has released a security update to address a critical vulnerability in the Zimbra Classic Web Client that could allow malicious acto...

All the recent news you need to know

Counterfeit USB Drives Spread China-Linked Virus in Japan’s Military

 

Counterfeit USB flash drives supplied to Japan’s Ground Self-Defense Force (JGSDF) in March 2024 spread a China-linked computer virus across secure military networks for nearly a year before the breach was finally detected. The incident, first reported by Japan’s Nikkei newspaper in June 2026, highlights how seemingly innocuous hardware can compromise even tightly controlled, air-gapped systems when supply-chain oversight and procurement protocols are insufficient. 

The infected drives were distributed to the JGSDF during earthquake relief operations in central Japan and were assumed to be legitimate, low-cost storage devices. An internal review later determined that six of eight USB sticks tested contained embedded malware that activated automatically upon insertion into a computer. Despite existing protocols that required scanning of external drives both upon receipt and during use, the infection remained undetected until February 2025, when a soldier in Itami, near Osaka, noticed unusually sluggish computer performance and initiated a diagnostic scan.

By that time, more than 50 of roughly 480 computers at the regional command had connected to the compromised drives, with nearly half of them handling classified information such as troop movements and operational plans. Forensic analysis by the JGSDF’s cyber defense unit revealed that the devices were counterfeit, using cheaper, slower microSD cards instead of standard memory chips and preloaded with malicious code. 

Security researchers linked the malware to Mustang Panda, also known as Earth Preta or Camaro Dragon, a China-associated advanced persistent threat (APT) group previously observed targeting government, education, and telecommunications sectors in Vietnam and Australia. Japanese officials stated there was no confirmed evidence of data exfiltration or external command-and-control communication, but the episode demonstrated how supply-chain compromises can silently bridge isolated networks without triggering conventional defenses. 

The fallout extended well beyond the military, as identical counterfeit USB drives were found circulating on major e-commerce platforms such as Amazon and Rakuten, priced 30 to 50 percent below authentic brands and traced to seller accounts in China. Reports of similar infections emerged in Japanese factories, research laboratories, and hospitals—environments that rely on removable media to transfer data across segmented or legacy systems. Security experts warn that such attacks exploit the tension between operational necessity and security policy: while outright bans on USB drives are often impractical in critical infrastructure, trusting removable media without rigorous, purpose-built validation leaves sensitive systems exposed to persistent threats. 

The JGSDF incident underscores three enduring lessons for organizations and governments: verify hardware provenance through trusted suppliers, treat all removable media as untrusted until scanned by dedicated security tools, and assume air gaps are permeable wherever physical media can cross them. For cybersecurity professionals and content creators tracking evolving threats, this case illustrates that supply-chain risk is not an abstract concept but a tangible vulnerability embedded in everyday devices—from USB sticks to firmware updates—demanding layered defenses that combine procurement discipline, technical controls, and continuous monitoring to protect critical networks.

Authentic GitHub Repository Can Trick AI Agents Into Installing Malware


An agentic AI coding tool built for making a GitHub repository and cloning could launch a malicious payload that stays hidden to AI agents, human reviewers, and security scanners. 

Malicious payload with no exploit code

Experts from Mozilla Zero Day Investigative Network (0DIN) AI security platform said that the exploit takes place without any warning, no exploit code, and no malicious command approved by anyone.

Experts showed how a threat actor could deploy an interactive shell on a developer’s system via Claude Code to launch a cloned project with no malicious code in the repository.

The attack tactic relies on three patterns that show no signs of exploit:

  • An authentic-looking GitHub repository with setup details, like deploying dependencies and starting the project.
  • The python package is then intentionally built to deny execution until it has started; it shows an error commanding the user to run pyhton3 -m axiom init. Claude code perceives it as a normal setup issue and automatically runs the instructed command while trying to recover from the error.
  • Executing python3 -m axiom init calls a shell script that retrieves the configuration value stored in a DNS TXT record controlled by the attacker, and is executed as a command.

About the technique

oDIN experts said that this technique requires no malicious parts in the cloned repository as the AI agent automates the full attack line, also comprising a level that impersonates a user error.

Once successful, the threat actor would get a shell with developer’s privileges, allowing them access to API keys, environment variables, making establish persistence, and local configuration files.

“Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw,” oDIN experts said. “The attacker now has an interactive shell running as the developer's own user.”

Future implications

Currently, the attack tactic is just a concept, but experts warn that hackers could effectively spread such GitHub repositories via fake job postings, direct messages, tutorials, and blog posts.

To avoid such exploits in future, oDIN researchers advise that AI agents should reveal the full deployment chain of setup instructions, like scripts and code retrieved dynamically at runtime. 

JadePuffer: First AI-Agent Ransomware Automates Entire Attack

 

Security researchers have identified JadePuffer as the first ransomware operation conducted entirely by an AI agent, marking a watershed moment in automated cyberattacks. Discovered by cloud security firm Sysdig, this incident demonstrates how large language model (LLM) agents can now execute complex intrusion campaigns without human intervention during the attack itself. 

Attack methodology 

The attack began by exploiting CVE-2025-3248, a critical remote code execution vulnerability in Langflow, an open-source platform for building LLM applications. Once inside the initial server, the AI agent systematically gathered intelligence, harvested credentials, and mapped the network to identify higher-value targets. It then pivoted to a production server running MySQL and Nacos configuration management, where it leveraged another known authentication bypass vulnerability to gain administrative access. 

What made JadePuffer particularly notable was its ability to detect and correct errors autonomously during the attack. When the agent's first attempt to create an administrator account failed, it analyzed the error and launched a corrected procedure just 31 seconds later, successfully modifying its credential generation approach. Sysdig researchers emphasized that this rapid self-correction capability is a strong indicator of genuine agentic behavior rather than a human operator using conventional automation tools. 

After securing access, JadePuffer encrypted more than 1,300 configuration elements in the database, deleted the original tables, and left a ransom note with a Bitcoin address and contact email. However, analysis revealed a disturbing detail: the encryption key was never stored or transmitted to any attacker-controlled server, suggesting victims could not recover their data even if they paid. Researchers believe this indicates the attack was oriented more toward data destruction than financial extortion, with claims of external backups appearing to be psychological pressure tactics without evidence of actual exfiltration. 

Security implications 

While JadePuffer has drawn attention to AI's role in cybercrime, experts stress that the fundamental vulnerability was poor security hygiene rather than the AI itself. Exposed credentials, unpatched vulnerabilities, default configurations, and excessive privileges enabled the agent to traverse the infrastructure within minutes. This incident underscores the urgent need for organizations to harden their AI application deployments, implement zero-trust architectures, and maintain rigorous patch management, as autonomous agents will increasingly exploit any weakness they encounter at machine speed.

Google Sent Earthquake Warnings Before Venezuela Tremor Reached Millions


In Venezuela, millions of Android users received earthquake alerts on their phones just minutes before two devastating 7.1 and 7.5 earthquakes struck, highlighting the increasing importance of smartphone-based early warning systems for disaster response. 


Google reported that its Android Earthquake Alerts System issued warnings to approximately 11.4 million people during the earthquakes in Venezuela. It was estimated that nearly 1.4 million users received the highest priority "Take Action" alerts, with warning times ranging from a few seconds to nearly two minutes based on their distance from the epicentre. 

Using Google's Android Earthquake Alert System, alerts were generated at the earliest signs of seismic activity and sent to affected areas prior to the strongest ground shaking. Warnings included an estimation of magnitude and an approximate distance from the epicentre to allow recipients to take immediate protective measures before destructive shaking began. 

Experts pointed out that Google did not predict the earthquake. The system detected primary seismic waves (P-waves), which are fast-moving and travel in advance of secondary waves (S-waves), which are stronger and more destructive. Within approximately three seconds after the earthquake began, stationary Android phones detected the initial P-waves, while Google's servers confirmed the event and began issuing alerts approximately six seconds later. 

As Nikhar Arora, Director at BOTS, explains, the magnitude shown in the initial alert is merely a preliminary estimate and can be revised if more seismic data becomes available. According to HR Anexi, Android smartphones are essentially a large-scale distributed sensor network. With their accelerometers, Android smartphones can detect unusual ground movement, allowing Google to analyze data from multiple nearby devices, estimate the location and magnitude of an earthquake, and send an alert rapidly. 

After launching the Android Earthquake Alerts System in California in 2020, Google expanded the system worldwide in 2021. In regions where monitoring infrastructure is limited, this platform uses data from national seismological agencies along with crowdsourced Android smartphone networks to identify earthquakes and to deliver rapid alerts. 

It is estimated that hundreds of millions of earthquake warnings have been delivered worldwide by the Android Earthquake Alerts System, thus significantly expanding access to early warning technology to areas without dedicated seismic alert infrastructure. With limited earthquake early warning infrastructure in Venezuela, Google's crowdsourced smartphone network was instrumental in estimating the location and intensity of an earthquake by analysing motion data from thousands of Android devices before stronger shaking reached nearby areas. 

A new debate has arisen over the role of technology in disaster management following the Venezuela incident. In his opinion, Hrishit Panthry, the Co-Founder of Envirocare Foundation, stated that smartphones have become a powerful tool for delivering emergency alerts directly to citizens. With the growth of cities and the interconnection of infrastructure, early-warning systems are becoming increasingly important as cities continue to expand. It is also believed that lessons can be applied beyond earthquakes.

A similar real-time warning technology would improve community resilience by facilitating faster communication during other natural disasters, such as flooding, severe storms, and extreme heat. Additionally, the incident highlighted differences between how earthquake alerts are delivered via smartphone platforms. The built-in sensors on Android devices can detect seismic activity in conjunction with official monitoring systems, while other platforms in many regions rely primarily on government-run alert systems for emergency notification.

Experts believe that the wider adoption of integrated warning technologies could help to further strengthen public safety. During the recent Venezuelan earthquakes, governments, scientists and technology companies have demonstrated how they are increasingly utilizing connected devices and real-time data in order to strengthen emergency response efforts. 

Although early warning systems cannot prevent earthquakes, experts say even a few seconds prior notice can assist in saving lives. During the Venezuela earthquake, advances in smartphone-based early warning systems were demonstrated as a major factor in improving disaster preparedness. 

Even though no technology can predict an earthquake in advance, rapid detection and timely alerts can provide crucial seconds to help reduce injuries and improve emergency responses. As these systems continue to evolve, collaboration among technology companies, scientists, and governments will be crucial to expanding access to life-saving warnings worldwide.

India Orders Telegram to Crack Down on Pirated Movies and OTT Content, Seeks Compliance Report

 

Ministry of Information and Broadcasting (MIB) has directed the messaging platform Telegram to take down the pirated films, OTT content and other audio-visual material uploaded on it. It also called upon the company to put in place measures to actively detect, report, disable and remove such unauthorized content from its platform instead of waiting for the government to notify it of alleged violations. 

As per the ministry's direction, the company was also asked to provide the details regarding steps taken by it against repeat offenders of copyright infringement on its platform like channels, groups, bots, admins, users and other entities. As per the notice sent by the ministry, the company was also asked to provide the details about its grievance redressal mechanism for film producers, OTT platforms, broadcasters, and law enforcement agencies concerning copyright infringements. 

At the same time, Telegram was also asked to suggest the steps it has taken to prevent, detect and remove the unauthorized copyrighted content. The ministry clarified that with the directions issued, there is an attempt to move to the next level in taking action against copyright infringement on online platforms. It emphasized that apart from responding to individual complaints, the onus is upon the companies to put in place robust systems to proactively prevent and detect such violations. 

The government has already taken down over 3,000 Telegram channels for hosting and distributing pirated content. However, it is felt that the step taken so far by blocking channels one by one is not an effective approach and the companies need to move to the next level. The ministry reminded Telegram that it was obliged to comply with the requirements of the Information Technology Act, 2000 and Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 concerning its responsibility as an intermediary platform. 

It observed that due diligence by the companies so that they are not host to any unlawful activities on their platforms cannot be left to the authorities to identify the channels hosting unlawful content. The ministry drew attention to the fact that violation of copyright laws in India is not only a civil wrong but also a punishable offence under Copyright Act, 1957 and Cinematograph Act, 1952. 

Therefore, continued availability of unauthorized content on Telegram, lack of adequate response as expected by the ministry, and failure to address the issues raised by it may trigger further regulatory actions. The latest initiative by the ministry reflects its commitment to protecting and promoting India's creator economy and the content ecosystem. 

It may be noted that the government has taken several steps to ensure that the rights of filmmakers, broadcasters, OTT platforms, producers, distributors and other content creators are protected against online piracy. By asking the online intermediaries to take more responsibility, the government is encouraging them to adopt better moderation practices in order to prevent the unlawful use of content on their platforms.

Centre Plans New Cybersecurity Norms for Electric Two- and Three-Wheelers to Address Battery Tampering Risks

 

The Central government is preparing to introduce new cybersecurity measures aimed at preventing unauthorised tampering with the batteries of electric two-wheelers and three-wheelers. The proposed regulations are expected to mandate stronger software security standards for electric scooters and e-rickshaws, including fully imported models, which have so far operated with limited cybersecurity oversight.

As part of the initiative, authorities are also considering banning mobile applications that can be used to exploit vulnerabilities in electric vehicles equipped with imported Chinese batteries. 

Officials from the Ministry of Heavy Industries and the Ministry of Electronics and Information Technology have reportedly held discussions on addressing these security concerns.

"The software security vulnerability will be plugged," a senior official told ET, adding downloads of mobile apps that can disturb e2w and e3w are expected to be curbed.

According to officials, the decision to restrict such software stems from the difficulty of individually fixing every electric two-wheeler and three-wheeler already in circulation. The software reportedly takes advantage of weaknesses in battery troubleshooting systems, enabling unauthorised users to interfere with vehicle operations.

Another official said electric rickshaws and low-speed electric scooters were initially permitted to encourage wider adoption of electric mobility. However, this also resulted in a significant influx of low-cost imported electric vehicles from China.

"A call has been taken to ensure more safety and software safeguards in new e2w and e3w sold in the country," the official said, adding roadworthy certificates will be issued only to new vehicle models that are free from such vulnerabilities.

The upcoming regulations are also expected to cover completely imported electric vehicles sold in India, ensuring they comply with the same cybersecurity and software safety requirements as locally manufactured models.

Featured