Attacks & Vulnerabilities |
Stealthy browser extensions waited years before infecting 4.3M Chrome, Edge users with backdoors and spyware (4 minute read)
ShadyPanda, a threat actor, compromised 4.3 million Chrome and Edge users through a seven-year campaign that published legitimate extensions, accumulated Featured and Verified status, and then weaponized them via malicious updates containing backdoors and spyware. The malware enabled complete browser surveillance, with remote code execution capabilities, hourly C2 communication to a server, arbitrary JavaScript execution with full browser API access, and real-time exfiltration of browsing data. ShadyPanda exploited the fundamental gap that allows marketplaces to review extensions only at submission, rather than monitor post-approval updates. Five extensions with over 4 million combined installs remain active on the Edge marketplace. |
Fake Calendly Invites Spoof Top Brands to Hijack Ad Manager Accounts (2 minute read)
There is an ongoing phishing campaign that uses Calendly to impersonate popular brands to phish for business ad manager accounts. These accounts are tempting for threat actors as they can be used as a springboard to launch malvertising campaigns with advanced features like geo-targeting, domain filtering, and device-specific targeting. The victims receive a Calendly invite from the threat actor impersonating a recruiter with a fake meeting invitation, which directs the user to an Attacker-in-the-Middle phishing page that attempts to steal login credentials. |
North Korea Lures Engineers to Rent Identities in Fake IT Worker Scheme (3 minute read)
North Korea's Famous Chollima are running a campaign in which they attempt to lure developers into renting their identities for illicit fundraising. The attackers offer legitimate engineers a percentage of the salary for a remote job if they grant the threat actor remote access to their computer. In some cases, they act as a frontman for the agent in interviews. |
|
How a Russian Threat Actor Uses a Recent WinRAR Vulnerability in Their Ukraine Operations (18 minute read)
Primitive Bear (Gamaredon), an FSB-attributed APT group, exploited CVE-2025-6218, a critical WinRAR path traversal vulnerability affecting versions through 7.11, in targeted spear-phishing campaigns against Ukrainian military units and government entities using military-themed lures. The attack chain leveraged malicious RAR archives containing HTA files with obfuscated VBScript, weaponizing a path traversal flaw to write payloads directly to Windows Startup folders, then used mshta.exe as a LOLBIN to fetch secondary-stage malware from a DynDNS-based C2 infrastructure across 14 active domains. The campaigns demonstrated sophisticated tradecraft, including minimal obfuscation, multi-stage payload delivery, phishing URL masquerading (president.gov.ua@malicious-domain), and infrastructure leveraging InterLIR IP marketplaces and No-IP dynamic DNS services. Defenders are recommended to update WinRAR to 7.12+, block HTA execution via AppLocker/WDAC, and monitor LOLBIN abuse and Startup folder modifications. |
AWS Secrets Manager Announces Managed External Secrets (1 minute read)
Managed external secrets is a new capability in AWS Secrets Manager that allows automatic rotation for participating third-party SaaS secrets without the overhead of rotation, Lambda function creation, or management. At present, the supported third-party vendors are Salesforce, BigID, and Snowflake. AWS has released a guide for becoming an integrated third-party vendor. The guide demonstrates how to create, manage, and view external secrets. |
AI agents find $4.6M in blockchain smart contract exploits (16 minute read)
SCONE-bench, created by Anthropic researchers, contains 405 exploit-prone smart contracts. Claude Opus 4.5, Sonnet 4.5, and GPT-5 exploited 34 contracts worth $4.6 million. Sonnet 4.5 and GPT-5 found two new zero-day vulnerabilities in 2,849 new contracts, producing exploits worth $3,694 at an API cost of $3,476 for GPT-5. This shows that profitable autonomous exploitation is feasible with current models. Security teams should adopt AI agents for smart contract auditing before deployment, as the decreasing window for exploitation and dropping costs ($1.22 per run) give attackers advantages, while enabling proactive vulnerability detection and fixing. |
|
Telegram's Cocoon network goes live, challenges Amazon, Microsoft in AI compute (3 minute read)
Telegram Cocoon is a TON blockchain-based decentralized AI compute network that connects GPU providers (compensated in toncoin tokens) with privacy-focused applications that require AI model execution. It is positioned as a confidential alternative to centralized cloud providers like Amazon and Microsoft. The network employs attested compute layers to process AI requests while settling payments on-chain. Security professionals should note ecosystem concerns, including hardware limitations restricted to specific Intel processors, potential scrutiny of the "100% confidentiality" claims, and the strategic implications of a central messaging platform controlling AI compute infrastructure that could process sensitive organizational workloads. |
vt-py (GitHub Repo)
vt-py is the official Python client library for VirusTotal. The library allows for interacting with the VirusTotal REST API v3. |
Saporo (Product Launch)
Saporo provides a graph-native identity security platform that analyzes relationships, events, and misconfigurations across on‑prem, cloud, and machine identities to surface attack paths, reduce exposure, and harden access to critical assets before exploitation. |
|
Glassworm malware returns in third wave of malicious VS Code packages (3 minute read)
Glassworm malware returned for a third wave on OpenVSX and Microsoft Visual Studio marketplaces with 24 new packages impersonating popular developer tools. The supply chain attack evolved to use Rust-based implants alongside invisible Unicode character obfuscation, steals GitHub, npm, and OpenVSX credentials plus cryptocurrency wallet data from 49 extensions, deploys SOCKS proxies for traffic routing, and installs HVNC clients for stealthy remote access while manipulating download counts to boost search rankings. Development teams should immediately audit installed VS Code extensions against published IOC lists, verify publisher authenticity before installation, monitor for suspicious extension updates, and implement controls to detect invisible Unicode characters in code reviews to prevent credential theft and environment compromise. |
India Orders Smartphone Makers to Preload State-Owned Cyber Safety App (2 minute read)
India's telecoms ministry has privately asked smartphone makers to preload all new devices with a state-owned cybersecurity app that cannot be deleted. Smartphone makers will have 90 days to ensure the government's Sanchar Saathi app is preinstalled on new devices and should push the app to existing devices in the supply chain via software updates. Apple is expected to push back on this requirement and may come to a compromise in which it agrees to nudge users to install the app. |
Vulnerability in OpenAI Coding Agent Could Facilitate Attacks on Developers (3 minute read)
A command-injection vulnerability in OpenAI's Codex CLI allows trusted local configuration files to execute attacker-controlled commands without user approval. By slipping malicious configs into a repository, an attacker could gain remote access, run arbitrary commands, steal secrets, and even poison supply chains via CI and build systems. OpenAI fixed the issue in Codex CLI version 0.23.0 after disclosure. |
|
| Love TLDR? Tell your friends and get rewards! | | Share your referral link below with friends to get free TLDR swag! | | | |
| Track your referrals here. |
| Want to advertise in TLDR? š° If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us.
Want to work at TLDR? š¼ Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them!
If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile
|
|
| |
VHAVENDA I.T SOLUTIONS
0 Comments
VHAVENDA IT SOLUTIONS AND SERVICES WOULD LIKE TO HEAR FROM YOUš«µš¼š«µš¼š«µš¼š«µš¼