Daily Brief

Attaullah Baig, former head of security at WhatsApp, has filed a lawsuit against Meta, claiming retaliation for reporting security failings that potentially violated legal commitments. Baig alleges his reports of systemic cybersecurity failures were met with unjust performance reviews, leading to his termination from WhatsApp. The lawsuit claims that around 1,500 WhatsApp engineers had unrestricted access to sensitive user data, posing significant privacy risks. Baig's concerns included potential violations of the US Sarbanes-Oxley Act and SEC rules, which he reported to Meta's top executives, including CEO Mark Zuckerberg. Meta, facing historical privacy criticisms and fines, denies the allegations, asserting a strong commitment to privacy and security. The case raises questions about internal security practices and the handling of whistleblower reports within large technology firms. This legal battle unfolds as WhatsApp awaits a decision in the FTC's antitrust case against Meta, highlighting ongoing regulatory challenges.

Recent network scans have targeted Cisco ASA devices, with GreyNoise recording significant spikes involving up to 25,000 unique IP addresses probing ASA login portals. A Brazilian botnet drove 80% of the second wave of scans, utilizing approximately 17,000 IPs, primarily targeting the United States, with additional focus on the UK and Germany. Overlapping Chrome-like user agents suggest a common origin for the scanning activity, indicating potential reconnaissance for future vulnerabilities. GreyNoise notes that such reconnaissance often precedes new vulnerability disclosures, though this correlation is statistically weaker for Cisco products. System administrators are urged to apply the latest security updates, enforce multi-factor authentication, and avoid exposing certain services directly to the internet. Utilizing scanning activity indicators from GreyNoise and Rat5ak's reports can help preemptively block these attempts, enhancing organizational cybersecurity posture. Cisco has been contacted for comment, and further updates are anticipated as more information becomes available.

The Government Accountability Office (GAO) identified unreliable and incomplete data on the federal cybersecurity workforce across 23 key US government agencies. The report estimates at least 63,934 full-time cybersecurity employees, costing approximately $9.3 billion annually, with an additional $5.2 billion spent on 4,151 contractors. Most agencies lack quality assurance processes for workforce data, with 19 agencies reporting no such measures and 17 lacking standardized definitions for cybersecurity roles. The Office of the National Cyber Director (ONCD) has not provided adequate guidance, contributing to data inconsistencies and suspended workforce data meetings. Sean Cairncross, the newly confirmed National Cyber Director, has no prior cybersecurity leadership experience, raising concerns about future workforce management. The GAO recommended addressing data gaps, improving data quality, standardizing role definitions, and assessing workforce effectiveness, but ONCD has yet to commit to these actions. The Biden administration initiated efforts to enhance workforce data accuracy, but the continuation of these initiatives remains uncertain amid current administrative challenges.

Attackers gained access to Salesloft's GitHub account in March, compromising hundreds of companies, including Google and Palo Alto Networks. The breach involved unauthorized downloads from multiple repositories and the addition of a guest user, leading to the exposure of sensitive data. Mandiant's investigation revealed attackers accessed Drift's AWS environment, obtaining OAuth tokens used to infiltrate Salesforce instances. Companies affected by the breach include Google, Cloudflare, Zscaler, and others, with customer data being stolen through compromised integrations. Salesloft's response included taking Drift offline, credential rotations, and infrastructure isolation, with Mandiant confirming the containment of the incident. The breach has raised concerns about the security of third-party integrations and the need for robust access controls and monitoring. Ongoing investigations aim to identify the attackers, with potential links to threat groups UNC6395 and ShinyHunters being explored.

GitGuardian researchers uncovered the GhostAction campaign, which compromised 3,325 secrets across GitHub, affecting tokens for PyPI, npm, DockerHub, Cloudflare, and AWS. The attack utilized compromised maintainer accounts to insert malicious GitHub Actions workflows, triggering data exfiltration upon 'push' or manual dispatch. FastUUID was the initial project identified, with its PyPI token stolen, though no malicious package releases were reported before the breach was mitigated. GhostAction impacted at least 817 repositories, sending secrets to a specific external domain, with 100 repositories already reversing the malicious changes. GitGuardian promptly alerted GitHub, npm, and PyPI, leading to the resolution of the exfiltration endpoint shortly after the campaign's discovery. The breach threatens multiple package ecosystems, with potential for malicious releases until maintainers revoke compromised secrets. Despite similarities to the 's1ngularity' campaign, GitGuardian found no direct link between the two operations.

Signal has launched an opt-in feature for end-to-end encrypted backups, allowing users to restore chats if devices are lost or damaged. The feature is currently in beta for Android, with plans to extend to iOS and desktop platforms. Users can back up text messages and 45 days of media for free, with a paid option available for extended media history and message storage. The paid plan, costing $1.99 per month, offers 100 GB of storage, addressing the high costs of storing and transferring large data volumes. Secure backups generate a 64-character recovery key, essential for decrypting and restoring messages, which Signal does not store or share. Signal's new feature builds on previous privacy enhancements, including encrypted message synchronization and screen security on Windows 11. This development reflects Signal's ongoing commitment to user privacy and secure communication solutions.

A significant supply chain attack compromised 18 npm packages, including widely used ones like debug and chalk, impacting cryptocurrency transactions across major blockchains. Developer Josh Junon's npm account was breached due to a phishing email, allowing attackers to insert backdoors into the packages. The malware targets cryptocurrency transactions by intercepting web3 activities and redirecting funds to attacker-controlled accounts. Aikido Security detected the attack, which affected packages with a combined download count of two billion per week, marking a major incident in npm's history. npm security and project maintainers acted swiftly to remove compromised code, but some packages, like simple-swizzle@0.2.3, remained available. Despite the breach, no funds have been reported stolen yet, indicating potential mitigation by early detection and response. This incident emphasizes the critical need for vigilance against phishing and robust security measures in software supply chains.

Lovesac, a prominent American furniture brand, confirmed a data breach affecting an undisclosed number of individuals due to a ransomware attack. The breach occurred between February 12 and March 3, 2025, with hackers accessing and stealing data from internal systems. While the exact data stolen remains unspecified, full names and other personal information were compromised; the impact on customers, employees, or contractors is unclear. Lovesac is offering affected individuals a 24-month credit monitoring service through Experian to mitigate potential risks. The RansomHub ransomware group claimed responsibility, threatening to leak data unless a ransom is paid; the current status of the ransom demand is unknown. Lovesac has not detected misuse of the stolen data but advises vigilance against phishing attempts. The RansomHub group, active since February 2024, targeted several high-profile organizations before shutting down in April 2025, with affiliates reportedly moving to DragonForce.

The sports streaming piracy service, Calcio, was shut down after receiving over 123 million visits in the past year, primarily from Italy. The operation was led by the Alliance for Creativity and Entertainment (ACE) and DAZN, targeting illegal streaming networks. Calcio's operator, based in Moldova, agreed to cease operations and transferred all domains to ACE, which now redirect to a legal streaming site. The platform provided unauthorized access to sports streams, impacting broadcasters and sports leagues by diminishing the commercial value of live events. ACE's coalition includes over 50 major media firms, demonstrating a significant industry effort against illegal streaming activities. Previous ACE actions have led to the shutdown of other major illegal streaming networks, showcasing ongoing efforts to protect content integrity. The collaboration between ACE and law enforcement agencies highlights the importance of international cooperation in combating digital piracy.

Silent Push discovered 45 domains linked to Salt Typhoon, a Chinese espionage group, used for long-term access to victim organizations since 2020. Salt Typhoon, associated with UNC4841, targeted U.S. telecommunications firms, compromising metadata and sensitive data of numerous Americans. The group exploited CVE-2023-2868 in Barracuda Email Security Gateways to deploy custom malware, impacting government networks significantly. Researchers identified fake registrant personas and suspicious domain patterns, suggesting sophisticated obfuscation tactics by Salt Typhoon. A domain resembling a Hong Kong newspaper raises questions about potential psychological operations or propaganda efforts. Silent Push advises organizations to scrutinize telemetry and logs against these domains to mitigate risks from Salt Typhoon's activities. The report emphasizes the urgent need for proactive cybersecurity measures to counteract this persistent threat from Chinese espionage actors.

A significant supply chain attack compromised NPM packages with over 2.6 billion weekly downloads, impacting developers and users globally. Attackers used phishing tactics to hijack maintainer accounts, injecting malware into index.js files to intercept network traffic and API calls. The malicious code specifically targets cryptocurrency transactions, redirecting funds to attacker-controlled wallets by altering wallet addresses. Affected cryptocurrencies include Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash, posing a substantial risk to crypto users. The attack operates silently, manipulating web3 activity in browsers without user detection, raising concerns about the integrity of web applications. Affected maintainers confirmed the phishing attack originated from a domain impersonating npmjs.com, indicating sophisticated social engineering tactics. This incident is part of a troubling trend of attacks on JavaScript libraries, stressing the need for enhanced security measures in software development.

Salesloft experienced a significant security breach starting in March, when attackers accessed its GitHub account, leading to the theft of Drift OAuth tokens. This breach resulted in widespread Salesforce data theft attacks in August, affecting major customers like Google, Zscaler, and Palo Alto Networks. Attackers exploited stolen OAuth tokens to access sensitive Salesforce data, focusing on credentials, AWS keys, and Snowflake access tokens. Mandiant's investigation revealed that attackers conducted reconnaissance and established rogue workflows within Salesloft's GitHub environment. Salesloft has rotated credentials, isolated Drift's infrastructure, and engaged in threat hunting to ensure no further compromise exists. The company has restored its Salesforce integrations after a precautionary suspension and provided guidance for data syncing to affected users. The incident underscores the critical need for robust access control and monitoring of third-party integrations to prevent supply-chain attacks.

Salesloft experienced a data breach originating from the compromise of its GitHub account, affecting 22 companies linked through its Drift application. The breach, investigated by Mandiant, involved threat actor UNC6395 accessing Salesloft's GitHub from March to June 2025, conducting reconnaissance activities. Attackers downloaded content from repositories, added a guest user, and established workflows, but evidence of activity was limited to reconnaissance. Drift's AWS environment was accessed, and OAuth tokens for customer integrations were stolen, allowing data access through Drift integrations. Salesloft has isolated the Drift infrastructure, taken the application offline, rotated credentials, and enhanced segmentation controls between Salesloft and Drift. Third-party applications using Drift via API key are advised to revoke existing keys as a precautionary measure. Salesforce temporarily suspended and later restored integration with Salesloft, excluding Drift, pending further security assessments.

A new malware campaign, GPUGate, targets IT and software development firms in Western Europe, leveraging Google Ads to mislead users into downloading malicious software. Attackers embed GitHub commits in URLs to direct users to counterfeit sites, exploiting trust in reputable platforms to deliver malware. The initial malware stage is a 128 MB MSI file, designed to evade detection by security sandboxes due to its size and GPU-based decryption mechanism. GPUGate uses GPU functions to decrypt payloads, bypassing virtual machines and older analysis environments that lack proper GPU drivers. The attack chain involves Visual Basic and PowerShell scripts to disable defenses, establish persistence, and execute secondary payloads for information theft. Indicators suggest the threat actors possess Russian language skills, with evidence pointing to a cross-platform strategy involving Atomic macOS Stealer. The campaign's sophistication challenges traditional detection methods, emphasizing the need for enhanced vigilance and adaptive security measures.

Microsoft has officially deprecated Windows Server Update Services (WSUS), prompting IT administrators to seek modern alternatives for patch management solutions. Action1, a cloud-native platform, presents an efficient alternative, offering rapid deployment without the need for server installation or complex configurations. Unlike WSUS, which only supports Microsoft products, Action1 extends patching capabilities to third-party applications, addressing significant security gaps. Action1's cloud-based approach eliminates the need for VPN connections, allowing seamless updates for remote and hybrid workforces. The platform supports policy-driven automation, enabling automatic deployment of critical patches and reducing manual intervention. Real-time dashboards and compliance reports enhance visibility and simplify audits, a notable improvement over WSUS's limited reporting capabilities. Action1 scales effortlessly in the cloud, providing consistent performance regardless of the number of endpoints managed, unlike the infrastructure-heavy WSUS. With a predictable cost model, Action1 reduces overhead compared to WSUS, which incurs hidden costs through licensing and maintenance.