SmartTube Breach 🎥, Shai Hulud 2.0 Analysis 🐛, Fake Cyber Monday Shopping Sites 🛍️

The popular open-source SmartTube YouTube client for Android TV, which provides ad blocking and runs well on low-powered devices, was compromised ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ 

Sign Up |Advertise|View Online TLDR Together With TLDR Information Security 2025-12-02 When your CEO calls, will you know it's real? (Sponsor) Today's phishing attacks involve AI-generated voices, videos, and interactive deepfakes of company executives. They fool 99% of people. Adaptive Security - backed by $65M+ in funding from OpenAI and a16z - is the first security awareness platform built to stop AI-powered social engineering. Adaptive trains your team with tools that stay one step ahead: Deepfake attack simulations featuring your real executives in realistic attack scenarios Interactive, personalized training content tailored for each employee AI-driven risk scoring that reveals what attackers can learn from your public data >> Book a demo and chat with a custom interactive deepfake of your CEO >> Take a tour of the platform (3 minutes) 🔓 Attacks & Vulnerabilities Privilege escalation with SageMaker and there's more hiding in execution roles (10 minute read) Privilege escalation flaws have been discovered in AWS SageMaker. Attackers with specific permissions can inject malicious code via lifecycle configurations, mimicking EC2 user data escalation and affecting Lambda and CloudFormation. It is important to detect stop-modify-start sequences in CloudTrail and implement strict access controls. Top South Korean e-commerce firm Coupang apologises over massive data breach (2 minute read) South Korean e-commerce giant Coupang disclosed unauthorized access that affected 33.7 million customer accounts beginning June 24 through overseas servers, exposing names, email addresses, phone numbers, shipping addresses, and order histories. Authorities are investigating a suspected Chinese former employee. The government is examining potential personal information protection violations. This is the country's worst data breach in over a decade. SmartTube YouTube App for Android TV Breached to Push Malicious Update (2 minute read) The popular open-source SmartTube YouTube client for Android TV, which provides ad blocking and runs well on low-powered devices, was compromised after an attacker gained access to the developer's signing keys. The compromise was detected when multiple users reported that Play Protect blocked SmartTube. The app developer confirmed that his digital keys were compromised and stated that he had revoked the old signature and would publish a new version with a separate app ID. 🧠 Strategies & Tactics Bind Link – EDR Tampering (11 minute read) Threat actors can abuse Windows 11's Bind Link API through the bindflt.sys driver to redirect EDR installation folders to attacker-controlled directories, enabling DLL hijacking and code execution under EDR context. The EDR-Redir proof of concept uses LoadLibraryW to load bindfltapi.dll and CreateDirectoryW to create transparent folder mappings between virtual and backing paths. CrowdStrike, SentinelOne, and Carbon Black have implemented BindFlt monitoring, while Microsoft Defender for Endpoint remains vulnerable. Security teams should deploy Sysmon Event ID 7 monitoring for bindfltapi.dll image load events, validate whether legitimate bind link usage exists in their environment to reduce false positives, and investigate EDR vendor support for bindflt driver activity detection. Start Using Windows Autopatch (2 minute read) Microsoft Intune provides an endpoint management suite for Windows devices. Windows Autopatch is built into Intune and allows administrators to define groups to gradually roll out to an organization. Administrators can also configure hot patching on devices to expedite compliance. Shai Hulud 2.0: Analysis and Community Resources (9 minute read) Shai Hulud 2.0 is a large-scale software supply chain attack that compromised many popular npm packages, including ones tied to services like Zapier, ENS Domains, PostHog, and Postman, in order to steal secrets and establish remote code execution via GitHub runners. Defenders are advised to use published IOCs and scanners to identify infected packages and leftover malware files, treat any secrets on affected machines as compromised, and rotate or revoke them. 🧑‍💻 Launches & Tools Special offer for TLDR readers: $200 off Zero Trust World 2026 with code ZTWTLDR26 (Sponsor) ThreatLocker's annual Zero Trust World is the most interactive, hands-on cybersecurity learning event. Join hacking labs, become Cyber Hero certified, and attend sessions led by cybersecurity, IT, and business experts. 👀 TLDR readers get $200 off all-access registration. That's 33% less than the list price.  🎓 Registration includes all sessions and labs (including CPE-eligible sessions!)  🍹At Zero Trust World, all access really means all access, so meals and the afterparty are included with each pass.  Use code ZTWTLDR26 for $200 off your all-access pass Guilty-As-Yara (GitHub Repo) Guilty-As-Yara is a Rust-based tool that generates Windows PE executables containing data patterns designed to trigger YARA rule matches for validating rules. R2frida (GitHub Repo) r2frida is a radare2 plugin that bundles Frida to instrument and analyze local or remote processes via r2 commands and scripts. 🎁 Miscellaneous Tomiris Shifts to Public-Service Implants for Stealthier C2 in Attacks on Government Targets (4 minute read) Tomiris is a Kazakhstan-linked threat actor that leverages Telegram and Discord as command-and-control infrastructure while targeting foreign ministries and government entities across Russia and Central Asia through spear-phishing campaigns. The attack deploys multi-language malware, including Rust-based downloaders, Python-based backdoors like Distopia, and custom implants. Over 50% of lures use Russian-language content to blend malicious traffic with legitimate service activity. Security teams should monitor for unusual Telegram and Discord API traffic patterns, implement application control policies that restrict execution from archive files, and deploy behavioral detection to detect persistence mechanisms targeting Windows Registry modifications associated with these custom implant families. AWS pre:Invent Security Highlights: What Changed and Why it Matters (5 minute read) AWS has added a new CLI command, `aws login`, which allows users to obtain short-lived credentials for AWS even if the account isn't configured with IAM Identity Center. AWS IAM Outbound Identity Federation now allows AWS users or services to request a short-lived JWT for external services that trust your AWS account, which can replace the use of hardcoded, long-term credentials or API keys in Lambda or EC2. AWS has also enabled Attribute-Based Access Control (ABAC) for S3, which allows users to define access permissions to S3 using tags instead of listing every bucket in an IAM policy. Purple Team Maturity Model: From Chaos to Controlled Chaos (4 minute read) Organizations that wish to start with purple teaming can begin by defining a purple team strategy with loosely scheduled sessions, referencing MITRE ATT&CK tactics in testing, and feeding early detection gaps into detection engineering. Teams can then introduce metrics as they mature, begin using more structured purple team exercises, and map red team TTPs more closely to MITRE ATT&CK tactics and threat intel. As teams further mature, they can introduce automated adversary emulation. Eventually, purple teaming can be driven by threat-intel, continuously run fully automated attack chains, and integrate machine learning, SOAR, and XDR to power rapid detection and response. ⚡ Quick Links Train your entire organization with Infosec IQ & Infosec Skills (Sponsor) Unlock on-demand cybersecurity ranges and labs for your technical team with any new Infosec IQ security awareness training contract. Act now to get your 3 free Infosec Skills seats. North Korean Hackers Deploy 197 npm Packages to Spread Updated OtterCookie Malware (4 minute read) North Korean threat actors deployed 197 malicious npm packages downloaded over 31,000 times as part of the Contagious Interview campaign. Over 2,000 Fake Shopping Sites Spotted Before Cyber Monday (3 minute read) CloudSEK discovered over 2,000 interconnected fake shopping sites targeting Black Friday and Cyber Monday shoppers through coordinated phishing campaigns. European cops shut down crypto mixing website that helped launder 1.3B euros (2 minute read) Europol and partner agencies have seized Cryptomixer, a widely used crypto-mixing service linked to cybercriminal activities such as drug trafficking, arms sales, ransomware, and card fraud. Love TLDR? Tell your friends and get rewards! Share your referral link below with friends to get free TLDR swag! https://refer.tldr.tech/03c142dc/8 Track your referrals here. Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us. Want to work at TLDR? 💼 Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them! If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please unsubscribe.