Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Breach. Show all posts
ShinyHunters
Data Breach Data Leak Harvard Breach Upenn Hack ShinyHunters

ShinyHunters Leak Exposes Harvard and UPenn Personal Data

 

Hacking group ShinyHunters has reportedly published more than a million records stolen from Harvard University and the University of Pennsylvania (UPenn) on its dark web site, putting a vast trove of sensitive personal data within reach of cybercriminals worldwide. The leaked data appears to contain sensitive details about the students, employees, alumni, donors, and family members of the breached organizations. This has expanded the scope of the compromised data to a wide range of people. Initial verification of the leaked data has revealed that at least some of the leaked data is genuine. 

The UPenn breach is believed to have begun in early November 2025, when the hackers gained access to an employee’s single sign-on (SSO) account by claiming to have obtained full access to the UPenn employee’s SSO account. This has essentially turned the SSO account into a master key that has allowed the hackers to access the UPenn VPN system, Salesforce data, the Qlik analytics platform, SAP business intelligence tools, and SharePoint. During the course of the attack, the hackers also used the compromised login credentials to send offensive emails to 700,000 people. Initially, UPenn believed that the emails were fake, but they later turned out to be real.

Harvard confirmed a related compromise roughly three weeks after the UPenn disclosure, tying its own incident to a successful voice phishing (vishing) campaign. In this case, attackers are said to have infiltrated Alumni Affairs and Development systems, exposing data on past and present students, donors, some faculty and staff, and even spouses, partners, and parents of alumni and students. The stolen records reportedly include names, dates of birth, home addresses, phone numbers, estimated net worth, donation history, and sensitive demographic attributes such as race, religion, and sexual orientation.

Unlike traditional ransomware operations that both encrypt systems and steal data, ShinyHunters appears to have focused solely on data theft and extortion, deploying no encryptors in these campaigns. The group allegedly attempted to negotiate payment in cryptocurrency in exchange for promising to delete the stolen files, following the now-common double extortion model. When talks broke down and the universities did not pay, the hackers responded by dumping the data openly on their dark web leak site, amplifying the risk of identity theft, harassment, and targeted scams for victims.

For Harvard and UPenn, the breaches highlight the dangers of over-reliance on SSO accounts and human-centric weaknesses such as vishing, where convincing phone calls trick staff into revealing or approving access. For affected individuals, the publication of highly personal and demographic information raises concerns around fraud, doxxing, discrimination, and reputational harm that could persist for years. The incidents reinforce the need for stronger multifactor authentication, rigorous phishing and vishing awareness training, and tighter controls around high-value institutional accounts holding large volumes of sensitive data.
Read more »
Vidar stealer variant
AI agent data theft AI infostealer malware Data Breach Hudson Rock research OpenClaw security breach Vidar stealer variant

Infostealer Breach Exposes OpenClaw AI Agent Configurations in Emerging Cyber Threat

 

Cybersecurity experts have uncovered a new incident in which an information-stealing malware successfully extracted sensitive configuration data from OpenClaw, an AI agent platform previously known as Clawdbot and Moltbot. The breach signals a notable expansion in the capabilities of infostealers, now extending beyond traditional credential theft into artificial intelligence environments.

"This finding marks a significant milestone in the evolution of infostealer behavior: the transition from stealing browser credentials to harvesting the 'souls' and identities of personal AI [artificial intelligence] agents," Hudson Rock said.

According to Alon Gal, CTO of Hudson Rock, the malware involved is likely a variant of Vidar, a commercially available information stealer that has been active since late 2018. He shared the details in a statement to The Hacker News.

Investigators clarified that the data theft was not carried out using a specialized OpenClaw-focused module. Instead, the malware leveraged a broad file-harvesting mechanism designed to search for sensitive file extensions and directory paths. Among the compromised files were:
  • openclaw.json – Containing the OpenClaw gateway authentication token, a redacted email address, and the user’s workspace path.
  • device.json – Storing cryptographic keys used for secure pairing and digital signing within the OpenClaw ecosystem.
  • soul.md – Documenting the AI agent’s operational philosophy, behavioral parameters, and ethical guidelines.
Security researchers warned that stealing the gateway token could enable attackers to remotely access a victim’s local OpenClaw instance if exposed online, or impersonate the client in authenticated gateway interactions.

"While the malware may have been looking for standard 'secrets,' it inadvertently struck gold by capturing the entire operational context of the user's AI assistant," Hudson Rock added. "As AI agents like OpenClaw become more integrated into professional workflows, infostealer developers will likely release dedicated modules specifically designed to decrypt and parse these files, much like they do for Chrome or Telegram today."

The disclosure follows mounting scrutiny over OpenClaw’s security posture. The platform’s maintainers recently announced a collaboration with VirusTotal to examine potentially malicious skills uploaded to ClawHub, strengthen its threat model, and introduce misconfiguration auditing tools.

Last week, the OpenSourceMalware research team reported an active ClawHub campaign that bypasses VirusTotal detection. Instead of embedding malicious payloads directly within SKILL.md files, threat actors are hosting malware on imitation OpenClaw websites and using the skills as decoys.

"The shift from embedded payloads to external malware hosting shows threat actors adapting to detection capabilities," security researcher Paul McCarty said. "As AI skill registries grow, they become increasingly attractive targets for supply chain attacks."

Another concern raised by OX Security involves Moltbook, a Reddit-style forum built specifically for AI agents operating on OpenClaw. Researchers found that AI agent accounts created on Moltbook cannot currently be deleted, leaving users without a clear method to remove associated data.

Meanwhile, the STRIKE Threat Intelligence team at SecurityScorecard identified hundreds of thousands of publicly exposed OpenClaw instances, potentially opening the door to remote code execution (RCE) attacks.

"RCE vulnerabilities allow an attacker to send a malicious request to a service and execute arbitrary code on the underlying system," the cybersecurity company said. "When OpenClaw runs with permissions to email, APIs, cloud services, or internal resources, an RCE vulnerability can become a pivot point. A bad actor does not need to break into multiple systems. They need one exposed service that already has authority to act."

Since its launch in November 2025, OpenClaw has experienced rapid adoption, amassing more than 200,000 stars on GitHub. On February 15, 2026, Sam Altman announced that OpenClaw founder Peter Steinberger would be joining OpenAI, stating, "OpenClaw will live in a foundation as an open source project that OpenAI will continue to support."
Read more »
Vendor Risk Management
Cloud Security Threats Customer Data Exposure Data Breach E Commerce Security payment processor breach Ransomware attack social engineering attacks Third Party Risk Vendor Risk Management

Hackers Leak 600000 Customer Records as Canada Goose Opens Investigation


 

Luxury retail is a rarefied industry where reputations travel faster than seasonal collections. Canada Goose, a brand associated with Arctic-quality craftsmanship and premium exclusivity, is now facing scrutiny from an unexpected part of the internet. 

In a cyber incident that the outerwear company insists did not originate within its walls, a cache of customer transaction data has appeared on a notorious ransomware leak site, putting the company at the center of the cyber incident that appears to have originated from a cache of customer transaction information. It has been reported that hackers have compromised Canada Goose's internal systems, but the luxury clothing brand maintains that its systems have not been compromised. 

On ShinyHunters' data leak portal, Canada Goose has been listed as having had 600,000 customer records exfiltrated by the notorious ransomware collective ShinyHunters. This dataset, which is approximately 1.67 gigabytes in size, contains detailed information regarding e-commerce orders, such as customer names, addresses, telephone numbers, and credit card numbers. 

It is the company's preliminary assessment that the exposed information relates to historical customer transactions, and no evidence indicates a breach of Canada Goose's corporate network has yet to be discovered. In response to the company's statements, it is actively reviewing the authenticity, origin, and scope of the dataset and will take appropriate measures if any potential risks to customers arise. 

There are partial details in the leaked records, including payment card brand names, the final four digits of card numbers, and in some cases, the first six digits of the issuing bank's name. Among the additional data in the dataset are payment authorization metadata, order histories, device and browser information, and transaction values.

Despite the absence of full credit card numbers, cybersecurity experts warn that even partial financial and transactional information can be manipulated to facilitate targeted scams, social engineering attacks, and fraud schemes. As part of its public denial, ShinyHunters has not indicated that the Canada Goose dataset is connected with recent social engineering campaigns targeted at single sign-on environments and cloud infrastructures.

In its claim, the group asserts that the records are a result of a breach of the payment processor in August 2025, a claim which has not been independently verified. According to the structure of the leaked data, it may have been derived from a hosted storefront or external payment processing platform, a fact that may support the group's assertion.

ShinyHunters has established itself as a company that penetrates e-commerce ecosystems, SaaS platforms, and cloud-hosted services, obtaining and publishing large quantities of consumer data in order to exert additional pressure on these companies. As described in threat intelligence assessments, ShinyHunters are an established data extortion operation with a history of obtaining and publicizing significant amounts of customer information from leading brands and online platforms.

Since the early 2010s, the group has been associated with a number of high-profile intrusions that frequently target e-commerce ecosystems, software as a service providers, and cloud environments where large datasets can be aggregated and monetized. 

A number of security researchers have also linked the collective with voice phishing and other social-engineering techniques aimed at compromising corporate credentials and shifting into cloud-based systems. In accordance with established patterns, stolen data is typically leveraged for financial coercion, sold on underground marketplaces, or published publicly on the leak portal of the group when ransom demands have not been met. 

Currently, it is not possible to determine whether Canada Goose has impacted customers in the exact manner described above. The company has stated it is examining the dataset to determine its authenticity, origin, and breadth before making a determination regarding whether customer notifications will be necessary.

There is a report that the exposed records contain partial payment card information, including the brand name of the card, the final four digits of the card number, and the ISIN number of the issuing bank, as well as details regarding the payment authorization. 

Cybersecurity professionals note that, even if full primary account numbers are not presented, truncated financial information, when combined with names, contact information, and transaction histories, can materially increase the success rate of targeted phishing schemes, credential harvesting schemes, and fraud schemes.

In addition to purchase histories, order values, and device and browser metadata, the dataset contains transaction information as well. Using such contextual information may allow adversaries to identify high spenders and develop convincing, transaction specific lures that mimic legitimate post-purchase correspondences.

Despite the lack of complete payment card details, the level of granularity increases downstream risk. Separately, ShinyHunters has recently been linked by independent researchers to a series of social engineering campaigns aimed at compromising single-sign-on environments and cloud accounts through social engineering.

According to the group, when questioned whether there was a correlation between those operations and the Canada Goose data, they denied such a connection, stating that the records were a consequence of a breach at a third-party payment processor dating back to August 2025. This assertion has not been independently verified. 

There is an apparent similarity between the structure of the leaked files including field labels such as checkout identifiers, shipping line entries, cart tokens, and cancellation metadata and export schemas that are typically generated by hosted storefronts and payment processing platforms. Although this does not establish the provenance of the data definitively, it indicates that the data may have originated within the environment of an external service provider rather than from a direct compromise of the retailer’s internal systems. 

It is evident that the incident underscores a broader reality facing retailers operating in increasingly interconnected digital supply chains. While core systems may remain unchanged, exposure risks may arise from third-party integrations which handle payments, order processing, and customer data storage. 

It has been observed by industry analysts that organizations that utilize external commerce and payment infrastructure must conduct rigorous vendor risk assessments, monitor their vendors continuously, and coordinate incident response procedures to limit downstream exposure. 

Customers are advised to maintain increased vigilance against unsolicited communications that reference past purchases or payment activity until the scope of the data is conclusively understood. 

A key takeaway from this episode is that data stewardship goes far beyond corporate boundaries, and resilience relies on ecosystem oversight as much as internal security protocols.
Read more »
South Korea
American Firms Coupang Data Breach economic impact legal challenges South Korea

More U.S. Investors Join Legal Dispute With South Korea Over Coupang Data Breach

 



A fresh wave of U.S.-based investment firms has joined an ongoing legal confrontation with the government of South Korea over its handling of a large scale cybersecurity incident involving Coupang.

On February 11, it was confirmed that three additional investors, Abrams Capital, Durable Capital Partners, and Foxhaven Asset Management, have formally moved to participate in arbitration proceedings. These firms are aligning with Greenoaks Capital and Altimeter Capital, which had already initiated legal action. By filing official notices, the new claimants are adopting and supporting the earlier case rather than launching a separate one.

At the center of the dispute is an allegation that South Korean authorities unfairly targeted Coupang and, by extension, other U.S.-linked businesses operating in the country. The investors claim that Seoul’s regulatory response following a large-scale consumer data breach amounted to discriminatory treatment that caused severe financial harm.

The controversy traces back to a disclosure made in November, when Coupang announced that personal information belonging to roughly 33 million customers in South Korea had been exposed in a cyber incident. Data breaches of this scale typically involve unauthorized access to customer records, which may include names, contact information, and other identifying details. The announcement triggered widespread public concern, political scrutiny, legal complaints, and cross-border tensions.

According to the investors pursuing arbitration, the government’s actions after the breach significantly affected shareholder value, resulting in losses amounting to billions of dollars. They argue that the regulatory measures taken were disproportionate and damaged investor confidence.

In addition to arbitration efforts, the newly joined investors have sent letters supporting calls for a formal review by U.S. authorities into South Korea’s conduct. Neil Mehta, founder and managing partner of Greenoaks Capital, stated that American policymakers and investors increasingly view the case as an example of the need to defend U.S. companies against what they see as unfair foreign government actions.

Coupang was established in 2010 by Korean-American entrepreneur Bom Kim, a graduate of Harvard University. Over the past decade, it has become the most widely used e-commerce platform in South Korea, surpassing long-established domestic conglomerates such as Shinsegae in online retail presence. The company has expanded beyond traditional online shopping into food delivery services, streaming platforms, and financial technology offerings, further strengthening its footprint in the country’s digital economy.

South Korea’s Justice Ministry has confirmed receipt of additional notices signaling intent to arbitrate. In an official statement, the ministry said it would respond in a systematic and professional manner through its International Investment Dispute Response Team, indicating that the government intends to formally defend its position.

The issue has also contributed to rising trade friction between Washington and Seoul. U.S. President Donald Trump has warned that tariffs on South Korean goods could increase to as much as 25 percent amid broader economic tensions.

Separately, the United States House Committee on the Judiciary recently issued a subpoena to Coupang as part of an ongoing investigation examining alleged discriminatory treatment of American companies operating abroad.

As arbitration proceedings advance, the case is expected to test not only corporate accountability in the wake of major data breaches, but also the strength of international investment protections and the diplomatic balance between two long-standing economic partners.

Read more »
Volvo Breach
Conduent Hack Data Breach Identity Theft Ransomware attack Volvo Breach

Volvo Hit in Conduent Breach Affecting 25 Million

 

A major data breach at business services provider Conduent has spiraled into a large-scale security incident affecting at least 25 million people across the United States, with Volvo Group North America among the latest victims. The breach, originally disclosed in early 2025, is now understood to be far more extensive than first reported, impacting residents in multiple states and exposing sensitive personal data. Texas authorities now estimate that 15 million people have been affected, up from an initial 4 million, while more than 10 million individuals in Oregon have also been caught up in the incident.

Conduent first confirmed in November 2025 that a cyberattack in January 2025 had exposed personal data belonging to over 10 million people. The compromised information included names, addresses, dates of birth, Social Security numbers, and health and insurance details, making it highly valuable for identity theft and fraud. Earlier, in April 2025, the company had revealed that attackers stole names and Social Security numbers during the same January intrusion, highlighting a pattern of gradually escalating disclosures as the scale of the breach became clearer.

Operational disruption accompanied the data exposure, as Conduent disclosed that a January cyberattack caused service outages impacting agencies in multiple U.S. states. Wisconsin and Oklahoma reported issues affecting payments and customer support, underscoring how attacks on back-office providers can cascade into interruptions of public services. Subsequent investigation determined that hackers had maintained access to Conduent’s network from October 21, 2024, to January 13, 2025, giving them ample time to exfiltrate personal data, including Social Security numbers, dates of birth, addresses, and health-related information.

The Safepay ransomware group later claimed responsibility for the attack in February 2025, adding an extortion dimension to the incident. Conduent, which offers printing and mailroom services, document processing, payment integrity, and other back-office support, has been sending breach notifications on behalf of affected clients, including Volvo Group North America. According to a filing with the Maine Attorney General, Volvo reported that 16,991 employees were impacted, and the company said it only learned of the incident in January 2026, many months after the original intrusion window.

In its notification letters, Conduent informed individuals that some of their personal information may have been involved due to services provided to their current or former health plans. The company stated it is not aware of any attempted or actual misuse of the compromised data but is urging recipients to consider steps to protect themselves. As part of its response, Conduent is offering free identity protection services to those affected, reflecting ongoing concern about long-term risks posed by the theft of such highly sensitive information.
Read more »
Wiz security research
AI social network risk Data Breach Moltbook security breach Supabase API key exposure Wiz security research

Moltbook Data Leak Reveals 1.5 Million Tokens Exposed in AI Social Platform Security Flaw

 



Moltbook has recently captured worldwide attention—not only for its unusual concept as a dystopian-style social platform centered on artificial intelligence, but also for significant security and privacy failures uncovered by researchers.

The platform presents itself as a Reddit-inspired network built primarily for AI agents. Developed using a “vibe-coded” approach—where the creator relied on AI tools to generate the code rather than writing it manually—Moltbook allows users to observe AI agents conversing with one another. These exchanges reportedly include topics such as existential reflection and discussions about escaping human control.

However, cybersecurity firm Wiz conducted an in-depth review of the platform and identified serious flaws. According to its findings, the AI agents interacting on the site were not entirely autonomous. More concerningly, the platform exposed sensitive user information affecting thousands.

In its report, Wiz said it performed a “non-intrusive security review” by navigating the platform as a regular user. Within minutes, researchers discovered a Supabase API key embedded in client-side JavaScript. The exposed key granted unauthenticated access to the production database, allowing both read and write operations across all tables.

“The exposure included 1.5 million API authentication tokens, 35,000 email addresses, and private messages between agents. We immediately disclosed the issue to the Moltbook team, who secured it within hours with our assistance, and all data accessed during the research and fix verification has been deleted,” the researchers explained.

The team clarified that the presence of a visible API key “does not automatically indicate a security failure,” noting that Supabase is “designed to operate with certain keys exposed to the client.” However, in this case, the backend configuration created a critical vulnerability.

“Supabase is a popular open-source Firebase alternative providing hosted PostgreSQL databases with REST APIs,” Wiz explained. “When properly configured with Row Level Security (RLS), the public API key is safe to expose - it acts like a project identifier. However, without RLS policies, this key grants full database access to anyone who has it. In Moltbook’s implementation, this critical line of defense was missing.”

Beyond the data exposure, the investigation also cast doubt on Moltbook’s central claim of hosting a fully autonomous AI ecosystem. Researchers concluded that human operators were significantly involved behind the scenes. “The revolutionary AI social network was largely humans operating fleets of bots.”

For now, Moltbook’s vision of independent AI entities engaging freely online appears to remain closer to speculative fiction than technological reality.
Read more »
Ransomware
cyber attack Data Breach Data Theft mental Health Ransomware

Birmingham Mental Health Authority Alerts More than 30,000 People to Ransomware-linked Data Breach

 

A public mental health authority in Birmingham, Alabama has notified more than 30,000 individuals that their personal and medical information may have been exposed in a data breach linked to a ransomware attack late last year. 

The informed 30,434 people of the breach, according to a disclosure filed with the . The incident occurred in November 2025 and affected data collected over a period spanning more than a decade. According to the notification sent to those affected, unauthorized access to the authority’s network was detected on or around November 25, 2025. 

An internal investigation found that certain files may have been accessed or taken without authorization. The potentially exposed information includes names, Social Security numbers, dates of birth, health insurance details and extensive medical information. 

The compromised medical data may include billing and claims records, diagnoses, physician information, medical record numbers, Medicare or Medicaid details, prescription data and treatment or diagnostic information. 

The authority said the affected records relate to patients or employees dating back to 2011. A ransomware group known as claimed responsibility for the attack in December 2025, demanding a ransom of $200,000 and threatening to publish 168.6 gigabytes of allegedly stolen data. 

The group posted sample images online as proof of the breach. The mental health authority has not publicly confirmed Medusa’s claim and has not disclosed whether a ransom was paid. 

The authority declined to comment on how attackers gained access to its systems. The breach notification does not mention any offer of free credit monitoring or identity theft protection for affected individuals. Medusa has been active since 2019 and operates a ransomware-as-a-service model, in which affiliates use its tools to carry out attacks. 

In 2025, the group claimed responsibility for dozens of confirmed ransomware incidents, many of them targeting healthcare providers. Those attacks exposed the personal data of more than 1.7 million people, according to publicly reported figures. 

Healthcare organizations have been a frequent target of ransomware groups in the US. Researchers tracking cyber incidents reported more than 100 confirmed ransomware attacks on hospitals, clinics and care providers in 2025, compromising data belonging to millions of patients. Such attacks can disrupt clinical operations, force providers to revert to manual systems and raise risks to patient safety and privacy. 

The Jefferson Blount St. Claire Mental Health Authority operates four mental health facilities serving Jefferson, Blount and St. Clair counties in Alabama.
Read more »
Vendor Risk Management
Data Breach Email Service Provider Incident response Phishing Risk SaaS security supply chain security Third-party breach User Data Protection Vendor Risk Management

Flickr Reveals Data Breach Originating From Third Party Systems


 

A security incident affecting the user data of popular photo sharing platform Flickr has been confirmed to be the result of a compromise within a third-party service integrated into Flickr's operation, rather than the company's core infrastructure. 

According to the company, sensitive customer information was exposed through a breach involving an external email service provider, which exposed an undisclosed number of users' sensitive data. In spite of Flickr's emphasis on the fact that the intrusion was detected and contained within hours, the incident illustrates the persisting risks associated with third-party dependencies within modern cloud and SaaS environments. 

An unauthorized access was discovered on February 5, which resulted in immediate incident response measures as indicated in a breach notification circulated to affected users and reviewed by The Register. 

An external provider's vulnerable endpoint was identified as a source of malicious activity by Flickr, which was immediately isolated in order to prevent further data exposure or lateral movement. In addition to revocation of pathways and expulsion of threat actors, notifications were also sent to the relevant regulatory authorities, data protection bodies, and affected customers regarding the malicious activity. 

A thorough forensic investigation has been commissioned by the company's third-party provider, and detailed findings will be shared as soon as possible, signaling the company's commitment to reviewing vendor security controls and accountability in a broader way. 

Following notification to users, the incident disclosure indicates that Flickr's exposure was caused by a security breach within an external email service provider it uses rather than a compromise of its primary platform itself. 

Among the information that could potentially have been accessed by unauthorized parties were real names, email addresses, IP addresses, and limited account activity information. Flickr declined to identify the third-party provider involved in the incident and did not specify how many users may have been affected, merely stating that investigation continues to determine the scope of the impact. 

Since Flickr's founding in 2004, it has grown into one of the world's largest communities of photographers, hosting over 28 billion photos and videos, and reporting a monthly active user base of over 35 million users, with over 800 million page views. 

The company stated in its statement that immediate containment measures were initiated following the detection of the issue. These measures included revoking access to the affected systems, severing connections with the vulnerable endpoints, and engaging a third-party provider to conduct an extensive forensic examination.

In parallel with these actions, Flickr notified relevant data protection authorities and initiated an internal security assessment intended to strengthen governance and technical controls across third-party integrations.

In its user advisory, Flickr urged customers to be aware of potential phishing attempts that may impersonate official communications in order to exploit this incident. As part of the company's recommendations, the company also recommended that customers review their account activity for anomalies and update their credentials on other services in cases where they may have been reused, reinforcing the importance of standard post-breach hygiene practices during the investigation process. 

As part of its notification to users, Flickr indicated that they are conducting an in-depth investigation as well as reinforcing the security controls governing third-party providers, and that the relevant data protection authorities have been formally notified. 

It was clarified by the company that the attackers accessed a variety of information based on the user, such as name, email address, username, account types, IP addresses, and approximate location information. 

In light of the incident, Flickr stressed that passwords, payment information, and other financial information were not compromised. Specifically, the company cautioned users to be on their guard when receiving suspicious e-mails, particularly messages that purport to be from the company, as the exposed personally identifiable information could be utilized to develop convincing social engineering attacks. 

Additionally, the notification included references to European and United States data protection authorities, which suggests that the incident may have affected users in more than one jurisdiction. With over 35 million monthly users across 190 countries, Flickr has a global exposure spanning a wide geographical area. 

Neither the threat actor nor the data had surfaced on known underground marketplaces at the time of disclosure. However, security experts note that even limited account metadata may be exploited in order to stage targeted phishing attempts, such as fraudulent account suspension notices or payment verification requests, aimed at obtaining additional credentials or financial information from users without their knowledge.

It is important to remember that third-party integrations, particularly those embedded in identity, communication, and notification workflows, create an expanding attack surface. Even though the immediate impact of Flickr's breach was limited by its rapid containment, the incident demonstrates the importance of continuous risk assessments and endpoint visibility among external service providers, as well as contractual security obligations. 

Increasingly, organizations operating at a global scale must regard third-party services as extensions of their internal environment, subject to the same monitoring, logging, and incident response procedures as they do their internal systems. 

A user may be exposed to long-term risks associated with the misuse of seemingly low-sensitivity account information, which can later be repurposed to facilitate highly targeted phishing and account takeover attempts. 

According to security professionals, it is advisable to maintain separate credentials across different services, to enable additional authentication safeguards when they are available, and to exercise caution when responding to unsolicited communication regarding users' account.

During the course of the investigation, the broader industry will closely observe for any further disclosures that may affect how platform operators balance their reliance on external vendors with demonstrating an effective supply-chain security infrastructure.
Read more »
Voice Phishing Attacks
Data Breach Identity-Based Breaches Microsoft Entra Security Okta SSO Compromise Phishing-Resistant MFA Single Sign-On Security Voice Phishing Attacks

ShinyHunters Targets Okta and Microsoft SSO in Data Breach


 

Several voice-based social engineering attacks have prompted renewed scrutiny of single sign-on ecosystem security assumptions. The cybercrime collective ShinyHunters has publicly announced that it has carried out an extensive campaign to harvest SSO credentials from approximately 100 organizations, signaling an intentional shift toward identity-centered intrusion methods. 

As a result of the early disclosures, substantial amounts of data have already been exposed, as leaks have been confirmed to platforms such as SoundCloud, Crunchbase, and Betterment, which have affected tens of millions of user records. 

Moreover, the intrusions were not the result of software malfunctions or misconfigurations, but rather carefully executed voice phishing attacks that took advantage of human trust in modern authentication workflows to achieve success. 

A growing reality for enterprises is underscored by this tactic. As authentication becomes more centralized via single sign-on providers, compromises of individual identities can result in systemic access to entire SaaS environments, amplifying the scale and impact of these breaches. 

Once an employee's single sign-on credentials have been successfully accessed, the impact is extensive beyond the initial account compromise. By gaining access to a single sign-on identity, attackers will gain access to the organization's broader application ecosystem. 

Various SSO platforms, including Okta, Microsoft Entra, and Google, streamline authentication by federating access to a variety of internal and third-party services under a single login, which facilitates streamlining authentication. As a result of this architecture, usability and administrative control are improved, but risk is also concentrated, as a single breached identity can unlock multiple downstream systems.

The SSO dashboard provides authenticated users with an integrated view of all enterprise applications connected to it, transforming a compromised account into a digital footprint map of the organization. A number of business-critical applications are commonly integrated into platforms, including Microsoft 365, Google Workspace, Salesforce, SAP, Slack, Atlassian, Dropbox, Adobe, Zendesk, and other software as a service applications. 

ShinyHunters and associated actors have exploited this model through targeted voice phishing campaigns, impersonating internal IT personnel, and guiding victims through credential entry and multi-factor authentication challenges on convincingly replicated login portals. 

Following authentication, the attackers systematically enumerate all available applications within the SSO environment, and then begin extracting data from each platform, enabling massive data thefts and lateral expansion across interconnected services before security teams may detect any abnormal activity. 

In the aftermath of initial access, attackers began targeting cloud-based software-as-a-service environments, which are systematically targeting systems for storing corporate data and internal documents. The objective goes beyond data theft, with stolen information increasingly being utilized for subsequent extortion campaigns following the initial data theft. 

Various designations are being tracked by Google Threat Intelligence Group (GTIG), including UNC6661, UNC6671, and UNC6240, reflecting a loosely coordinated but tactically aligned group of operators employing a similar approach to intrusions and monetizations. 

The GTIG and Mandiant investigations indicate that activity associated with UNC6661 intensified in mid-January, when attackers posed as internal IT personnel to contact employees within targeted organizations. In addition to being told that multifactor authentication settings would soon be updated, victims were directed to convincingly branded credentials harvesting portals.

It was designed to capture both single-sign-on credentials and MFA codes in real-time, thereby enabling immediate account control. Mandiant confirmed that, in multiple instances, the compromised credentials came from Okta customers, as mentioned in an Okta blog posting describing a campaign employing advanced phishing kits in response to the compromised credentials. 

In a subsequent study, researchers attributed follow-up extortion efforts to UNC6240, citing overlapping operational artifacts including the reuse of a common Tox account during negotiations, among others. In late January, a newly established leak site listing alleged victims was published, which described the nature of the stolen information and imposed payment deadlines of 72 hours. 

Researchers have previously reported that allegations of compromise have been made against at least five organizations. UNC6671 is exhibiting similar tradecraft in parallel activities. Throughout the past week, operators connected to this cluster have conducted vishing attacks involving impersonation of IT personnel and real-time credential harvesting.

In spite of the underlying domain infrastructure being similar to that of UNC6661, researchers observed differences in domain registration services, suggesting that operations are separate despite common tools and techniques. It is believed that these groups are collectively associated with ShinyHunters, which operates under alternative banners such as Scattered Lapsus$ Hunters at times. 

The collective is derived from an ecosystem of loosely affiliated cybercriminals known as The Com, whose members have proven to be skilled at telephone social engineering. An increasingly sophisticated phishing toolkit is at the core of these operations, designed to manage the complete lifecycle of an attack. 

The latest kits are capable of generating phishing emails and hosting replicate login pages, as well as relaying captured credentials in real time to attackers—an essential feature of multifactor authentication. 

A growing number of advanced frameworks now support voice-enabled phishing, which allows attackers to coordinate live phone calls in conjunction with dynamic manipulations of the victim's browser session Okta researchers have observed that these toolkits can be adjusted on the fly, enabling callers to control which pages are presented to victims according to their scripts as well as with legitimate MFA challenges encountered during the login process. 

With this level of orchestration, attackers are able to neutralize most multi-factor authentication (MFA) mechanisms that are not explicitly phishing-resistant. These campaigns are known to target identity platforms, cryptocurrencies, and Okta's own identity and access management services, which serve as authentication hubs for extensive corporate application portfolios, including Google and Microsoft Entra. 

It has been demonstrated that phishing pages are closely modeled after legitimate sign-in interfaces, ensuring a seamless experience for victims. According to Okta threat researcher Moussa Diallo, attackers can coordinate on-screen instructions with spoken instructions, even advising victims that they will receive MFA push notifications in advance, thus lending credibility to what would otherwise appear to be an unsolicited authentication request. 

However, phishing-resistant MFA technology such as smartcards, FIDO security keys, cryptographic passkeys, and Okta FastPass introduces cryptographic binding between the service and the user, thus reducing the effectiveness of real-time social engineering attacks. 

Ultimately, the campaign reinforces the critical lesson that defenders should take away: identity has become the primary attack surface, and human interaction has become one of its most vulnerable components. 

Threat actors have refined their abilities to manipulate trust by engaging in real-time voice engagements, challenging traditional assumptions about authentication strength. In addition to considering the fact that even well-implemented SSO and MFA controls can be undermined when users are persuaded to actively participate in an attack chain, security teams must change both technical and operational strategies to address this risk. 

By adopting cryptographically bound authentication mechanisms that are phishing-resistant, organizations can reduce the probability of credential replay in real-time. Furthermore, sustained employee awareness training that recognizes voice phishing as a major threat, rather than a niche variant of email-based scams, is equally important. 

The use of clear internal IT communication processes, along with monitoring for anomalous SSO behavior and rapid response playbooks, can further limit the blast radius in the event of compromise. In order to increase resilience against identity-driven attacks, layered controls will need to remain effective even when social engineering is successfully employed.
Read more »
Ransomware
cyber attack Data Breach Hacking Information Security IT Security Italy Law Enforcement Ransomware

La Sapienza University’s Digital Systems Remain Shut After Cyber Intrusion Disrupts Services

 




Rome’s La Sapienza University is continuing to experience major operational disruption after a cyber intrusion forced administrators to take its digital infrastructure offline as a safety measure. The shutdown began on February 2 and has affected core online services used by students, faculty, and administrative staff.

Since the incident, students have been unable to complete basic academic and administrative tasks such as registering for examinations, viewing tuition-related records, or accessing official contact information for teaching staff. With internal platforms unavailable, the university has relied mainly on its social media channels to share updates. These notices have acknowledged the disruption but have not provided detailed technical explanations or a confirmed date for when full access will be restored.

University officials confirmed that their systems were deliberately powered down to contain the threat and to prevent malicious software from spreading to other parts of the network. Emergency shutdowns of this kind are typically used when there is a risk that an attack could compromise additional servers, user accounts, or stored data. This response suggests that the incident involved harmful software capable of moving across connected systems.

According to publicly available reporting, the disruption was caused by ransomware, a category of cyber attack in which criminals attempt to lock organizations out of their own systems or data. Some media sources have claimed that a newly observed cybercrime group may be linked to the breach and that a ransomware variant referred to in security research as Bablock, also known as Rorschach, may have been involved. These attributions are part of ongoing assessments and have not been formally confirmed by authorities.

Technical analyses cited in public reporting describe this malware family as drawing components from previously leaked cybercrime tools, allowing attackers to combine multiple techniques into a single, highly disruptive program. Such ransomware is designed to operate rapidly and can spread across large digital environments, which helps explain the scale of the disruption experienced by one of Europe’s largest universities by student enrollment.

The university has formally reported the incident to Italian law enforcement and to the National Cybersecurity Agency, both of which are now involved in the investigation and response. Administrators have stated that emergency management is being coordinated across academic offices, administrative departments, and student representatives, with discussions underway to introduce deadline extensions and flexible arrangements to limit academic harm.

Due to the ongoing shutdown of internal systems, campus information desks are currently unable to access digital records that would normally support student inquiries. Updates about service availability and office hours are being shared through official faculty social media pages.

Meanwhile, technical teams are examining the full scope of the breach before restoring systems from backups. This step is necessary to ensure that no malicious code remains active. It is still unclear whether all stored data can be fully recovered or whether some information may remain inaccessible following the attack.


Read more »
Romania National Oil Pipeline
Cybersecurity Attack Data Breach data threat Romania National Oil Pipeline

Romania’s National Oil Pipeline Joins a Growing Cyberattack list

Romania’s national oil pipeline operator, Conpet, has disclosed that it suffered a cyberattack that disrupted its corporate IT systems and temporarily knocked its website offline, adding to a growing series of digital incidents affecting the country’s critical infrastructure. 

In a statement issued on Wednesday, the company said the attack affected its business information systems but did not interfere with pipeline operations or its ability to meet contractual obligations. 

Conpet operates almost 4,000 kilometres of pipelines, transporting domestically produced and imported crude oil, gasoline and other petroleum derivatives to refineries across Romania, making it a key component of the country’s energy infrastructure. 

The firm sought to reassure customers and authorities that its core operational technologies were not compromised. Systems responsible for supervising and controlling pipeline flows, as well as telecommunications networks, continued to function normally throughout the incident. 

As a result, the transport of crude oil and fuel through the national pipeline system was not disrupted. Conpet’s public website, however, remained inaccessible as recovery efforts were under way. 

Conpet said it is investigating the breach in cooperation with national cybersecurity authorities and has notified Romania’s Directorate for Investigating Organised Crime and Terrorism, filing a formal criminal complaint. 

The company has not provided details on how the attackers gained access or the specific techniques used, citing the ongoing investigation. Despite this lack of official confirmation, the ransomware group Qilin has claimed responsibility for the attack. 

The group has listed Conpet on its dark web leak site and alleges it exfiltrated close to one terabyte of data from the company’s systems. 

To support its claim, Qilin published a selection of images said to show internal documents, including financial information and scans of passports. Qilin emerged in 2022 as a ransomware-as-a-service operation, initially operating under the name Agenda. 

Since then, it has built a long list of alleged victims across the world, targeting private companies and public institutions alike. Such groups typically combine data theft with extortion, threatening to publish stolen material unless a ransom is paid. 

The attack on Conpet follows a spate of ransomware incidents in Romania over the past year. Water authorities, major energy producers, electricity distributors and dozens of hospitals have all reported disruptive cyberattacks. 

Together, these cases underline a persistent weakness in the corporate IT systems that support essential services, even when industrial control networks are kept separate. 


Read more »
State-Sponsored Cyber Espionage
Advanced Persistent Threats Critical Infrastructure Cyberattack Data Breach Global Cybersecurity Threats Linux Rootkit Malware nation-state hackers Palo Alto Unit 42 State-Sponsored Cyber Espionage

Widespread Cyber Espionage Campaign Breaches Infrastructure in 37 Countries


 

Research over the past year indicates that a newly identified cyberespionage threat actor operating in Asia has been conducting a sustained and methodical cyberespionage campaign that is characterized both by its operational scale and technical proficiency. 

A fully adaptive and mature toolchain has been utilized by this group to successfully compromise 70 government and critical infrastructure institutions spanning 37 countries. The group's operations utilize a range of classic intrusion vectors, including targeted phishing, advanced exploitation frameworks, along with custom malware, Linux-based rootkits, persistent web shells, tunneling and proxying mechanisms to hide command-and-control traffic and maintain long-term access. 

According to the analysis of the campaign, these intrusions represent only a portion of the group's overall activities. There appears to be an increase in reconnaissance efforts, indicating a strategic expansion beyond confirmed victims, according to security researchers. 

During November and December of 2025, the actor was observed conducting active scanning and reconnaissance against government-linked infrastructures located in 155 countries, indicating that an intelligence collection operation had a global perspective rather than an opportunistic approach. 

A previously unknown cyberespionage actor identified as TGR-STA-1030, also known as UNC6619, has been attributed to the activity by researchers at Palo Alto Networks' Unit 42. Based on a combination of technical artifacts, operational behavior, and targeting patterns, Unit 42 assesses with high confidence that the group is state-aligned and operating from Asia. 

A 12-month period during which the actor compromised government and critical infrastructure organizations across 37 countries puts nearly one fifth of the world's countries within the campaign's verified impact zone. 

A sharp increase in reconnaissance activity was observed by Unit 42 in parallel with these intrusions between November and December 2025, as the group actively scanned government-linked infrastructure associated with 155 countries, signaling a shift toward a broader collection of intelligence. 

Based on the analysis conducted by Unit 42, the group was first discovered during an investigation into coordinated phishing operations targeting European government entities in early 2025. 

Eventually, as the actor refined its access methods, these campaigns, which were part of the initial phase of the Shadow Campaigns, evolved into more direct exploitation-driven intrusions based on exploitation. In light of the assessment that the activity aligns with state interests but has not yet been conclusively linked to a particular sponsoring organization, the designation TGR-STA-1030 is serving as a temporary tracking label while attribution efforts are continued.

Over time, the group demonstrated increasing technical maturity by deploying persistence mechanisms capable of providing extended access to exposed services beyond email-based lures, and exploiting exposed services. To date, a wide range of sensitive government and infrastructure sectors have been identified as victims, including interior affairs, foreign relations, finance, trade, economic policy, immigration, mining, justice, and energy ministries and departments. 

Despite confirmed compromises, researchers from Unit 42 believe that the breadth of reconnaissance activity offers insight into the actor's global priorities, while confirmed scanning efforts indicate that scanning efforts can be translated into operational access. 

There were at least 70 successful breaches during the period under review, and attackers maintained footholds in several environments for several months at a time. Although the campaign appears to be primarily geared toward espionage, Unit 42 has cautioned that the scale, persistence, and alignment of the activity with real-world geopolitical events raise concerns about potential long-term consequences for national security and critical service resilience. 

According to an in-depth analysis of the campaign, a pattern of targeting closely tracked sensitive geopolitical and commercial developments. Unit 42 documented the compromise of one of the largest suppliers in Taiwan's power equipment industry among the confirmed intrusions, which underscores the group's interest in energy-related industrial ecosystems. 

The actors also breached an Indonesian airline's network during the active procurement process with a U.S.-based aircraft manufacturer in a separate incident. Researchers noted that the intrusion coincided with a significant increase in the promotion of competing aircraft products from a manufacturer based in Southeast Asia, suggesting that the operation was not limited to passive intelligence gathering, but extended to strategic economic interests. 

It is important to note that several intrusion waves corresponded directly with diplomatic and political flashpoints involving China. After a high-profile meeting between the country’s president and the Dalai Lama, scanning activity was observed against the Czech military, national police, parliamentary systems, and multiple government bureaus in the Czech Republic. 

A month prior to Honduras' presidential election, during which both of the leading candidates indicated their willingness to reestablish diplomatic relations with Taiwan, the group launched a targeted attack against Honduran government infrastructure on October 31, approximately one month before the election. 

At least 200 government-associated IP addresses were targeted during this period by Unit 42, marking one of the largest concentrations of activity recorded by the group to date, which resulted in reconnaissance attempts and intrusion attempts. From a technical standpoint, the actor's tooling exhibits a high level of sophistication and operational discipline. 

As a part of initial access, phishing campaigns were frequently used to deliver custom malware loaders known as DiaoYu. DiaoYu is the Chinese word for fishing. Upon execution, the malware loader performed antivirus checks before deploying follow-on payloads, including command-and-control beacons known as Cobalt Strike beacons.

Additionally, the group exploited various enterprise-facing vulnerabilities, including Microsoft Exchange Server, SAP Solution Manager, as well as more than a dozen other widely deployed platforms and services, attempting to exploit these vulnerabilities in parallel. By utilizing a previously undocumented Linux rootkit known as ShadowGuard, Palo Alto Networks enhanced persistence and stealth. 

Rootkits operate within Linux kernel virtual machines referred to as Extended Berkeley Packet Filters (eBPF), allowing malicious logic to be executed entirely within highly trusted kernel space. According to researchers from Unit 42, eBPF-based backdoors pose a particular challenge for detection, because they are capable of intercepting and manipulating core system functions and auditing data before host-based security tools or monitoring platforms are aware of them. 

A similar approach has been documented in recent research on advanced Chinese-linked threat actors. However, certain operational artifacts also emerged in spite of the group's multi-tiered infrastructure strategy designed to obscure command-and-control pathways and impede attribution. 

Several cases involved investigators observing connections to victims' environments originating from IP address ranges associated with China Mobile Communications Group, a major backbone telecommunications provider. 

According to Palo Alto Networks, based on infrastructure analysis and historical telemetry, this group has been active since at least January 2024 and continues to pose a threat to the company. According to Unit 42, TGR-STA-1030 remains an active and evolving threat to critical infrastructure and government environments worldwide. This threat's combination of geopolitical alignment, technical capability, and sustained access creates a potential long-term threat. 

Unit 42 encourages governments and critical infrastructure operators to revisit long-held assumptions related to perimeter security and incident visibility in light of these findings. Through the campaign, it can be seen how advanced threat actors are increasingly combining prolonged reconnaissance with selective exploitation in order to achieve durable access and remain undetected for extended periods of time. 

It is recommended that security professionals prioritize continuous monitoring of exposed services, improve detection capabilities at both the endpoint and network layers, and closely monitor anomalous activity within trusted system components, such as kernel-level processes, where appropriate. 

Additionally, the researchers emphasize the importance of cross-sector coordination and threat intelligence sharing in addition to immediate technical mitigations, noting that the campaign's scale and geopolitical alignment demonstrate the deterioration of national resilience over time through cyberespionage operations. 

Keeping a keen eye on current and future state-aligned operations and adjusting defensive strategies in response will remain critical to limiting their strategic impact, especially as state-aligned actors continue to develop their skills.
Read more »
Malware Attack
Data Breach Database Breach Database Compromised Infostealer Infostealer Malware Malware Attack

Unsecured Database Exposes 149 Million Logins Linked to Infostealer Malware Operations

 

Appearing without warning on the internet, a massive collection of personal login details became reachable to any passerby. This trove - spanning about 96 gigabytes - included close to 150 million distinct credentials gathered from various sources. Not shielded by locks or scrambled coding, its contents lay fully exposed. Inside, endless spreadsheets paired emails with user handles, access codes, plus entry points to accounts. Examination showed evidence of widespread digital theft, driven by aggressive software designed to harvest private information. Such leaks reveal how deeply automated attacks now penetrate everyday online activity. 

Credentials came from people across the globe, tied to many different websites. Access information showed up for big social networks, romance apps, subscription video sites, games, and money-handling services. Among them: login pairs for digital currency storage, bank entry points, and systems linked to payment cards. A mix like that points not to one hacked business but likely stems from software designed to gather passwords automatically.  

What stood out most was the appearance of login details tied to government-backed email addresses in various nations. Though these accounts do not always grant entry to critical infrastructure, basic official credentials might still be exploited - serving as tools for focused scams or fake identities. Starting from minor access points, attackers could work their way deeper into secure environments. The level of danger shifts with each individual's privileges; when higher-access .gov logins fall into the wrong hands, consequences can stretch well beyond a single agency. 

Appearing first in the analysis was a database organized much like those seen in infostealer activities. Keylog results sat alongside extra details - hostnames flipped intentionally to sort thefts by target and origin. Though built on hashes, every record carried its own distinct ID, likely meant to prevent repeats while easing bulk sorting tasks. From this setup emerges something functional: a system shaped for gathering, handling, even passing along login information. Last noted - the traits match what supports credential trafficking behind the scenes. 

With unclear responsibility for the database, reporting went straight to the hosting company. Still, fixing the issue dragged on - weeks passed, with multiple alerts needed before entry was blocked. While delays continued, more data kept flowing in, expanding the volume of sensitive records exposed. Who controlled the system, how long it stayed open online, or whether others harvested its contents stays unanswered. One wrong move here leads to serious trouble. 

When hackers get full logins alongside active URLs, they run automated break-ins across many accounts - this raises chances of stolen identities, fake messages that seem real, repeated fraud, and unauthorized access. Personal habits emerge through used platforms, painting a clearer picture of who someone is online, which deepens threats to private data and future safety. 

Midway through this event lies proof: stealing login details now operates like mass production, fueled by weak cloud setups. Because information-harvesting software grows sharper every month, staying protected means doing basics well - shielding devices, practicing careful habits online, using separate codes everywhere, while adding extra identity checks. Found gaps here reveal something odd at first glance - not just legitimate systems fail from poor setup, but illegal networks do too; when they collapse, masses of people get caught unaware, their private pieces scattered without knowing a breach ever happened.
Read more »
Spain
Data Breach Data Leak Education ministry of science Online Platforms Spain

Spain’s Science Ministry Partially Shuts Online Systems After Suspected Cyber Incident

 



Spain’s Ministry of Science, Innovation and Universities has temporarily disabled parts of its digital infrastructure following what it described as a technical problem. The disruption has affected several online services used by citizens, universities, researchers, and businesses for official procedures and submissions. These platforms support important administrative functions and process sensitive information, which is why access was restricted as a precaution.

The ministry oversees national science policy, research programs, innovation initiatives, and higher education administration. Its systems handle high-value data, including academic and research records, application materials, and personal information linked to students and professionals. Because of the incident, multiple digital services were made unavailable, and active procedures were placed on hold to limit any potential risk to data or system integrity.

In a public notice on its official website, the ministry stated that the incident is under technical assessment and did not disclose further details at the time. The announcement clarified that the ministry’s online portal is only partially operational and that ongoing administrative processes have been paused to protect the rights and lawful interests of affected users. To reduce the impact of the outage, authorities confirmed that deadlines for affected procedures will be extended in line with Spain’s administrative law provisions, so applicants and institutions are not penalized for delays caused by the shutdown.

Separately, claims surfaced on underground online platforms from an individual alleging unauthorized access to the ministry’s systems. The person shared what they presented as sample data to support the claim and stated that additional information was available for sale. The material reportedly includes personal records, email information, application-related documents, and images of official paperwork. These claims have not been independently verified, and the online space where the samples were shared later became inaccessible.

The same individual alleged that access was gained by exploiting a security weakness that can allow users to reach restricted resources without proper authorization. Such flaws, when present in web applications, can expose internal systems if not properly secured. At this stage, the technical details of the claim remain unconfirmed by authorities.

Spanish media outlets have reported that a ministry spokesperson acknowledged that the service disruption is linked to a cybersecurity incident. However, officials have not confirmed whether any data was accessed or taken, nor have they outlined the scope of any potential compromise. The ministry has indicated that investigations are ongoing to determine what occurred and to restore services safely.

Cybersecurity experts consistently warn that public sector systems are frequent targets because of the volume and sensitivity of data they manage. Strong access controls, continuous monitoring, and timely security updates are critical to reducing exposure to such risks. Further updates from the ministry are expected once technical assessments are completed and the situation is fully clarified.

Read more »
Tribal Clinics
Data Breach Medical Data Leak Ransomware attack Rhysida Ransomware Tribal Clinics

Rhysida Ransomware Hits California Tribal Clinics, Leaks SSNs and Medical Data

 

A recent ransomware attack has disrupted healthcare services and exposed sensitive patient data at the MACT Health Board, which operates clinics serving American Indian communities in California’s Sierra Foothills. The cybercriminal group Rhysida has claimed responsibility for the November 2025 breach and has listed MACT on its data leak site, demanding a ransom of eight bitcoin, valued at about 662,000 dollars at the time. Although MACT has notified affected patients, the organization has not confirmed Rhysida’s claims or disclosed how many individuals were impacted.

According to MACT’s notice to victims, an unauthorized party accessed some files on its systems between November 12 and November 20, 2025, leading to serious exposure of personal and medical information. Compromised data includes names, Social Security numbers, and detailed medical information such as diagnoses, doctors, insurance details, medications, test results, images, and records of care and treatment. In response, MACT is offering eligible victims free identity monitoring, recognizing the heightened risk of identity theft and fraud.

The attack caused significant operational disruption across MACT’s clinics starting November 20, 2025, affecting phone services, prescription ordering, and appointment scheduling. Phone lines were restored by December 1, but some specialized imaging services were still offline as of January 22, illustrating the long-term impact such incidents can have on patient care. The Board declined to answer detailed questions about the breach, including whether a ransom was paid or how the attackers infiltrated the network.

Rhysida, which emerged in May 2023, runs a ransomware-as-a-service model, providing its malware and infrastructure to affiliates who carry out attacks. Its ransomware both steals data and encrypts systems, with victims pressured to pay for deletion of stolen information and for decryption keys. The group has claimed responsibility for 102 confirmed attacks and an additional 157 unacknowledged incidents, with an average ransom demand of around 884,000 dollars. At least 24 of its confirmed attacks have targeted healthcare entities, compromising about 3.83 million records, including high-profile breaches at MedStar Health, Spindletop Center, and Cytek Biosciences.

The MACT incident highlights a broader surge in ransomware targeting US healthcare providers. Comparitech researchers documented 109 confirmed ransomware attacks against hospitals, clinics, and other care providers in 2025 alone, affecting nearly 8.9 million records. These attacks can force organizations back to pen-and-paper operations, trigger appointment cancellations, and even require patient diversions, putting both safety and privacy at risk. MACT, which serves five California counties—Mariposa, Amador, Alpine, Calaveras, and Tuolumne—through about a dozen clinics offering medical, dental, behavioral, optometry, and chiropractic care, now faces the dual challenge of restoring services and rebuilding trust with its community.
Read more »
supply chain security
Data Breach developer credential theft GlassWorm malware malicious VS Code extensions Open VSX Registry attack supply chain security

Open VSX Supply Chain Breach Delivers GlassWorm Malware Through Trusted Developer Extensions

 

Cybersecurity experts have uncovered a supply chain compromise targeting the Open VSX Registry, where unknown attackers abused a legitimate developer’s account to distribute malicious updates to unsuspecting users.

According to findings from Socket, the attackers infiltrated the publishing environment of a trusted extension author and used that access to release tainted versions of widely used tools.

"On January 30, 2026, four established Open VSX extensions published by the oorzc author had malicious versions published to Open VSX that embed the GlassWorm malware loader," Socket security researcher Kirill Boychenko said in a Saturday report.

The compromised extensions had long been considered safe and were positioned as genuine developer utilities, with some having been available for more than two years.

"These extensions had previously been presented as legitimate developer utilities (some first published more than two years ago) and collectively accumulated over 22,000 Open VSX downloads prior to the malicious releases."

Socket noted that the incident stemmed from unauthorized access to the developer’s publishing credentials. The Open VSX security team believes the breach may have involved a leaked access token or similar misuse of credentials. All affected versions have since been taken down from the registry.

Impacted extensions include:
  • FTP/SFTP/SSH Sync Tool (oorzc.ssh-tools — version 0.5.1)
  • I18n Tools (oorzc.i18n-tools-plus — version 1.6.8)
  • vscode mindmap (oorzc.mind-map — version 1.0.61)
  • scss to css (oorzc.scss-to-css-compile — version 1.3.4)
The malicious updates were engineered to deploy GlassWorm, a loader malware linked to an ongoing campaign. The loader decrypts and executes payloads at runtime and relies on EtherHiding—a technique that conceals command-and-control infrastructure—to retrieve C2 endpoints. Its ultimate objective is to siphon Apple macOS credentials and cryptocurrency wallet information.

Before activating, the malware profiles the infected system and checks locale settings, avoiding execution on systems associated with Russian regions, a behavior often seen in malware tied to Russian-speaking threat groups.

The stolen data spans a broad range of sensitive assets, including browser credentials, cryptocurrency wallets, iCloud Keychain data, Safari cookies, Apple Notes, user documents, VPN configurations, and developer secrets such as AWS and SSH credentials.

The exposure of developer-related data is particularly dangerous, as it can lead to deeper enterprise breaches, cloud account takeovers, and lateral movement across networks.

"The payload includes routines to locate and extract authentication material used in common workflows, including inspecting npm configuration for _authToken and referencing GitHub authentication artifacts, which can provide access to private repositories, CI secrets, and release automation," Boychenko said.

What sets this incident apart is the delivery method. Instead of relying on fake or lookalike extensions, the attackers leveraged a real developer’s account to push the malware—an evolution from earlier GlassWorm campaigns that depended on typosquatting and brand impersonation.

"The threat actor blends into normal developer workflows, hides execution behind encrypted, runtime-decrypted loaders, and uses Solana memos as a dynamic dead drop to rotate staging infrastructure without republishing extensions," Socket said. "These design choices reduce the value of static indicators and shift defender advantage toward behavioral detection and rapid response."
Read more »
Subscribe to: Comments (Atom)