Daily Brief

A malicious VSCode extension named "Solidity Language" from the Open VSX registry led to the theft of $500,000 in cryptocurrency. The fake extension was designed to impersonate a legitimate plugin for Ethereum smart contracts, but instead executed a remote PowerShell script. The attackers used the script to install ScreenConnect, gaining full remote access to the victim's computer. Additional malicious payloads were subsequently downloaded, including a known malware loader. The victim, a Russian crypto developer, did not have antivirus software installed, complicating the detection of the intruding software. Kaspersky's investigation revealed that the extension had been downloaded 54,000 times, though this figure was likely inflated to boost its apparent legitimacy. Similar deceptive extensions were found in Microsoft's Visual Studio Code marketplace, suggesting a broader attack strategy. Kaspersky advises developers to exercise extreme caution when downloading tools and packages from open repositories, as these platforms are increasingly targeted by cybercriminals.

Britain and France are collaborating to enhance GPS resilience amid increasing signal jamming globally. This initiative was disclosed during French President Macron's state visit, aligning with other UK-France science and technology partnerships. The focus is on developing positioning, navigation, and timing (PNT) technologies as alternatives to GPS, which are more resistant to interference. Technologies like eLoran are being considered; a terrestrial system that utilizes low-frequency ground-based radio towers, difficult to jam. These efforts aim to protect critical civilian infrastructures, particularly applications like business transaction time-stamping that rely on precise timing. The UK's Ministry of Defence has explored deploying portable eLoran networks and has called for tenders to build a national eLoran system. Recent international incidents, including GPS disruptions in the Baltic Sea, have underscored the urgency of these protective measures against GPS signal manipulation. GPS interference and spoofing are identified as significant flight safety concerns by the European Union Aviation Safety Agency (EASA), affecting regions across Eastern Europe and the Middle East.

The UK's National Crime Agency (NCA) contests the findings of a think tank report that claims the FBI is nearly three times more efficient. The Social Market Foundation based its report on a "crude" comparison of arrest figures and officer counts without considering different mandates of the NCA and FBI. The report criticizes the UK government and NCA's approach towards combating serious organized crime, highlighting issues such as underinvestment and recruitment challenges. The NCA highlights its strategic impacts on organized crime, disputing the think tank's methodology and defending its results and operational effectiveness. Despite criticisms, the NCA achieved significant successes, including recent arrests related to ransomware attacks on major British retailers. The NCA insists it remains a world-leading agency in combating serious and organized crime, aiming to further enhance its operational capabilities. Social Market Foundation urges the UK to redefine its national strategy against organized crime and increase funding for the NCA.

India's Central Bureau of Investigation (CBI) successfully shut down a transnational tech support scam operated from Noida, targeting citizens in the UK and Australia. The fraudulent scheme by FirstIdea call center caused losses exceeding £390,000 in the UK alone. CBI's Operation Chakra V involved raids on three locations, including a live fraudulent call center, resulting in two arrests. Scammers pretended to be tech support from major corporations, deceiving victims into paying for unnecessary technical support services. Collaborative efforts between CBI, UK's National Crime Agency, the FBI, and Microsoft were crucial in identifying and dismantling the scam's infrastructure. Over 100 individuals in the UK were deceived by the scammers using spoofed phone numbers and VoIP to appear as legitimate tech support. The raids were timed to match the active scam calls based on victim time zones, enhancing the operation’s effectiveness.

Cybersecurity researchers discovered a significant vulnerability in Kigen's eUICC cards used in modern IoT devices and smartphones. The flaw exploits eSIM technology, allowing potential malicious installation and manipulation of mobile subscriptions. Over two billion devices worldwide are at risk due to this vulnerability in older eSIM technology versions. Kigen acknowledged the vulnerability, which can be abused if attackers gain physical access and use specific publicly known keys. The attack could enable downloading and tampering of mobile operator profiles, which poses risks to data integrity and security. The issue was identified and reported by Security Explorations, leading to a $30,000 bounty from Kigen. Updated GSMA TS.48 version 7.0 addresses the vulnerability, but prior versions remain deprecated. The exploitation of this vulnerability is feasible and poses a realistic threat, especially from capable nation-state actors.

Iran is actively searching for a minimum of three cloud service providers to support government operations. The Information Technology Organization of Iran (ITOI) intends to evaluate and rank cloud providers based on their ability to meet specific standards. Compliance with ISO 27017 and ISO 27018, which ensure secure cloud computing and the protection of personally identifiable information, is required. Providers must also adhere to the NIST SP 800-145 definition of cloud computing, despite Iran's adversarial relationship with the USA. Cloud services sought include various forms such as IaaS, PaaS, SaaS, and options for private, public, hybrid, or community clouds. Approved organizations will receive a “cloud service rating certificate” and be listed as authorized cloud service providers. Companies involved in security, monitoring, support services, or cloud migration are also encouraged to apply. International businesses should note that many jurisdictions consider trading with Iran illegal, potentially complicating participation.

Nvidia has issued an advisory for its GPUs, notably the A6000, vulnerable to Rowhammer attacks which disrupt memory through electrical interference. The security loophole in Bluetooth systems has put vehicles from Mercedes-Benz, Volkswagen, and Skoda at risk, allowing potential control over various car functions. Jack Dorsey's new Bluetooth-based communication network, BitChat, has faced criticism for significant security flaws, including basic errors in authentication systems. A series of deepfake attacks impersonating US Secretary of State Marco Rubio via voicemails and texts have targeted government and foreign officials. In a major action against cybercrime, Romanian police arrested 13 individuals engaged in a scam to fraudulently claim tax benefits and relief from the UK's Revenue and Customs. Bitcoin Depot, the operator of the world's largest Bitcoin ATM network, acknowledged a data breach affecting personal information of approximately 27,000 users, delayed by a federal investigation.

Google Gemini for Workspace can be manipulated to generate email summaries that include hidden phishing directives. Attackers use HTML and CSS to embed invisible instructions in emails, which Gemini then processes into misleading summaries. This vulnerability was highlighted by Mozilla's GenAI Bug Bounty Programs Manager via its platform, 0din. Despite previous reporting of similar prompt injection attacks and implemented safeguards, the technique remains effectively exploitable. The misleading summaries generated by Gemini can include fake security warnings, leading to high risks of user deception. Proposed mitigation strategies include eliminating hidden text and implementing a post-process review to flag potential phishing summaries. Google has been made aware and is reportedly enhancing its defenses, although some measures are still pending deployment. No real-world exploitation of this vulnerability has been reported according to Google, but the potential for abuse remains a concern.

North Korean fake IT worker scams are infiltrating Fortune 500 companies, impersonating applicants with fabricated resumes and deepfake technologies. These scammers often use insider access to steal sensitive data and threaten companies with data leaks for ransom, with the scams causing substantial financial losses. Companies have observed a significant influx of applicants for remote jobs, particularly in engineering and software development, with discrepancies like minimal LinkedIn connections despite robust resumes. Security measures being adopted include thorough ID verifications, requiring physical presence for final hiring phases, and collaborating with law enforcement and security agencies to share intelligence and strategies. Despite sophisticated detection methods, including AI tools integrating indicators of compromise (IOCs), fraudsters continually evolve their tactics, requiring ongoing vigilance and adaptation from corporate HR and security teams. Organizations share strategies and implement strict verification processes during hiring to avoid falling victim to these employment scams, with measures like in-person onboarding being crucial. The threat, while currently attributed primarily to North Korean groups, is expected to spread as other bad actors recognize the potential for exploitation.

NVIDIA urges customers to enable ECC to counteract the GPUHammer RowHammer attack variant affecting its GPUs. GPUHammer enables malicious users to induce bit flips in NVIDIA's GPU memory, specifically targeting the A6000 model with GDDR6 Memory. The University of Toronto researchers highlighted that GPUHammer attacks can reduce the accuracy of AI models from 80% to less than 1%. Unlike speculative execution vulnerabilities in CPUs, RowHammer attacks target the physical behavior of DRAM, causing disruptive bit flips. A recently developed proof-of-concept by researchers used a single-bit flip to degrade ImageNet DNN model accuracy dramatically—from 80% to 0.1%. NVIDIA recommends enabling system-level ECC, despite a potential reduction in performance and memory capacity for A6000 GPUs. Newer GPU models such as H100 and RTX 5090 are naturally resistant to GPUHammer due to onboard ECC capabilities. Academic studies reveal potential for broader implications of RowHammer on cloud platforms and AI systems, emphasizing the need for proactive security measures on GPUs.

Cybersecurity researchers uncovered a security flaw in McDonald's McHire chatbot that exposed chats from over 64 million job applications. The vulnerability was found by researchers Ian Carroll and Sam Curry, revealing that admin panel credentials were as weak as "123456". The job application bot, named Olivia, accepted sensitive personal information from applicants which was inadvertently exposed due to the flaw. Researchers used a technique involving the manipulation of the lead_id parameter in HTTP requests to access other applicants' data without authorization. This vulnerability represents an IDOR (Insecure Direct Object Reference) issue, where internal identifiers like record numbers are exposed. McDonald's and its service provider Paradox.ai responded swiftly, with a fix deployed the same day the issue was reported, and default admin credentials disabled. Paradox.ai is conducting an ongoing review and has made updates to ensure similar vulnerabilities are not repeated. Paradox clarified that any interaction with the chatbot could have been exposed, not necessarily those including personal data submissions.

Hackers initiated attacks exploiting a severe remote code execution flaw in Wing FTP Server, identified as CVE-2025-47812. The vulnerability allows unauthenticated remote attackers to run high-privilege code due to unsafe string handling in C++ and unsanitized Lua input. Threat actors ran enumeration and reconnaissance tactics, aimed to establish persistence by creating new user accounts. A security update (version 7.4.4) that fixes this RCE flaw has been issued by the vendor, with recommendations to upgrade immediately. The researcher's demonstration showed exploitation via a null byte in the username field, leading to arbitrary Lua code injection. Managed cybersecurity service Huntress observed real-time attacks involving malformed login attempts and sessions designed to download and execute malicious payloads. Organization recommendations include upgrading Wing FTP software, restricting web access, disabling anonymous logins, and monitoring session directories.

Cybersecurity researchers at GitGuardian, in collaboration with Synacktiv, uncovered remote code execution vulnerabilities in over 600 Laravel applications caused by leaked APP_KEYs on GitHub. More than 260,000 APP_KEYs were extracted from GitHub data spanning from 2018 to May 2025, with 400 confirmed functional out of over 10,000 unique keys found. The vulnerability exploits a deserialization flaw through Laravel's decrypt() function, allowing attackers to execute arbitrary code using the leaked APP_KEY. This security issue persists in newer Laravel versions under certain configurations, despite being initially documented with CVE-2018-15133. The research found that 63% of these APP_KEY leaks are due to misconfigurations in .env files, which often contain other sensitive information like database credentials and cloud storage tokens. Approximately 28,000 exposed APP_KEY and APP_URL pairs were found on GitHub, with about 10% validating as active and compromising the application's security directly. GitGuardian emphasized the necessity for a robust rotation and secret monitoring strategy to effectively manage and secure exposed keys. The broader security context includes persistent risks across PHP environments, highlighting the need for comprehensive secret management and preventative measures in software development practices.

NVIDIA is urging users to enable System Level Error-Correcting Code (ECC) to mitigate Rowhammer attacks on GPUs with GDDR6 memory. Recent research demonstrated a successful Rowhammer attack on an NVIDIA A6000 GPU, prompting NVIDIA's recommendation. Rowhammer is a hardware fault exploited through frequent memory access, causing data corruption or system disruptions by altering adjacent memory bits. System Level ECC adds redundant bits to data, correcting single-bit errors and ensuring data integrity and reliability in critical applications. The attacks are technically challenging due to GDDR6’s higher latency and faster refresh rates compared to traditional DDR4, but they remain feasible. NVIDIA recommends System Level ECC for several GPU models, including latest data center and workstation units, to protect against potential vulnerabilities. Newer GPUs like the Blackwell and Hopper series feature built-in on-die ECC, which provides automatic protection without user intervention. Users can verify the ECC status via out-of-band and in-band methods, including system tools and command-line utilities like nvidia-smi.

Cybersecurity researchers found a serious flaw in McDonald's job application chatbot, resulting in exposure of personal information for over 64 million applicants. Weak default credentials "123456" on McHire's admin panel allowed unauthorized access to applicant data. Researchers utilized an IDOR vulnerability to increment or decrement unique applicant IDs, accessing sensitive data like chat transcripts and personal details. The vulnerability, found in the McHire system powered by Paradox.ai, was quickly addressed by McDonald's and Paradox after being reported. McDonald's implemented immediate changes by disabling the default admin credentials and pressing Paradox.ai to fix the IDOR flaw on the same day it was reported. Paradox.ai has committed to a system review to prevent further vulnerabilities and ensure the security of applicant data. Despite the prompt response, the incident highlights continued risks in cloud security and the effectiveness of simple exploit techniques.