Daily Brief

Researchers at Koi Security identified vulnerabilities in JavaScript package managers, including npm, which allow threat actors to bypass Shai-Hulud defenses through Git dependencies. The vulnerabilities, collectively named PackageGate, affect tools like pnpm, vlt, Bun, and npm, though all but npm have implemented fixes. The Shai-Hulud supply-chain attack compromised 187 npm packages initially and later exposed 400,000 developer secrets across 30,000 GitHub repositories. Despite Koi's report, npm did not address the issue, stating the behavior "works as expected," leaving users responsible for package vetting. Bun, vlt, and pnpm have patched their respective vulnerabilities, with pnpm addressing two flaws tracked as CVE-2025-69263 and CVE-2025-69264. GitHub, which operates npm, is actively scanning for malware and encourages projects to adopt security measures like two-factor authentication to protect the software supply chain. The incident underscores the ongoing challenges in securing software supply chains and the importance of comprehensive security practices.

The European Commission has initiated an investigation into X, formerly Twitter, over its AI model Grok's ability to generate explicit deepfake images, including those involving children. This inquiry falls under the Digital Services Act (DSA), which aims to regulate illegal content and assess systemic risks on online platforms within the EU. Concerns arose from Grok's potential to expose EU citizens to harmful content, prompting the Commission to evaluate X's compliance with its legal obligations under the DSA. X has responded by disabling the image-generation tool for non-subscribers and reaffirmed its zero-tolerance stance on child sexual exploitation and non-consensual content. The DSA empowers the EU to impose fines up to 6% of a platform's annual global revenue, potentially amounting to $174 million for X. This investigation is part of broader proceedings against X to ensure all systemic risks are mitigated, including those from Grok-based recommendations. The EU has previously fined X €120 million for breaches related to ad transparency and data access, indicating a firm regulatory stance against US tech giants.

Nike is investigating claims by WorldLeaks that 1.4TB of internal data, including design and manufacturing files, was stolen and partially published online. The breach reportedly involves 188,347 files, focusing on product development and production processes rather than customer or employee data. Nike has not confirmed the breach details or whether a ransom demand was made, maintaining that consumer privacy and data security are top priorities. WorldLeaks, formerly known as Hunters International, has shifted tactics from ransomware to direct data theft and extortion, targeting industrial firms. The incident follows a similar breach at Under Armour, highlighting the vulnerability of sportswear companies with complex supply chains. This trend suggests a growing threat to fashion and sportswear firms, where internal data theft can lead to significant operational and competitive risks. Companies are advised to strengthen their cybersecurity measures, focusing on safeguarding internal processes and design documentation.

Cybersecurity firm ESET attributes a December cyberattack on Poland's power grid to Russia's Sandworm unit, deploying the DynoWiper malware to disrupt critical energy infrastructure. The attack aimed to sever communication between renewable energy systems and distribution operators but ultimately failed, according to Poland's energy minister. Sandworm, linked to Russia's GRU, has a history of using wiper malware against adversarial nations, previously targeting Ukraine's energy sector in 2015 and 2023. ESET continues to investigate the incident, promising updates to aid in defending critical sectors against further threats from Sandworm. The attack coincided with heightened geopolitical tensions, including Poland's closure of Russia's last consulate and new sanctions on Russian steel companies. Following the attack, Poland arrested individuals linked to Russian espionage, highlighting ongoing security concerns in the region. Poland is collaborating with NATO on an Eastern Flank Deterrence Line, incorporating AI and autonomous systems, potentially escalating tensions with Russia.

Fortinet is addressing fresh exploitation of a FortiCloud SSO authentication bypass vulnerability, affecting devices previously considered fully patched. Attackers have identified new paths to exploit CVE-2025-59718 and CVE-2025-59719, allowing unauthorized SSO login bypass via crafted SAML messages. The vulnerability impacts devices with the FortiCloud SSO feature enabled, prompting Fortinet to recommend disabling this feature temporarily. Organizations are advised to restrict administrative access to edge network devices as a precautionary measure until a complete fix is available. This incident illustrates the evolving nature of threats and the necessity for continuous monitoring and patch management. The situation underscores the critical importance of verifying the effectiveness of security patches to prevent potential breaches.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical VMware vCenter Server vulnerability, CVE-2024-37079, as actively exploited and requires urgent attention. This vulnerability arises from a heap overflow issue within the DCERPC protocol of vCenter Server, allowing remote code execution through low-complexity attacks without needing user interaction. Federal agencies have been given a three-week deadline to secure their systems, with a compliance date set for February 13th, as per Binding Operational Directive 22-01. Broadcom has confirmed exploitation of this vulnerability in the wild, urging immediate application of security patches to the latest vCenter Server and Cloud Foundation releases. The lack of available workarounds emphasizes the critical need for patch application to mitigate potential risks to federal and enterprise systems. This incident is part of a broader pattern of vulnerabilities affecting VMware products, with previous zero-day exploits reported in other VMware software. The ongoing exploitation of such vulnerabilities indicates a persistent threat landscape, necessitating robust patch management and proactive security measures.

Recent reports indicate adversaries are leveraging AI, including Large Language Models, to create dynamic malware capable of evading traditional defenses, posing significant challenges for cybersecurity teams. Google's Threat Intelligence Group and Anthropic have observed AI being used throughout cyber espionage campaigns, from initial access to data exfiltration, highlighting a shift in attack sophistication. Attackers are employing techniques like steganography and social engineering to bypass signature-based scans and antivirus systems, increasing the risk of widespread malware deployment across networks. Microsoft's research reveals threat actor Octo Tempest's use of AI to manipulate victims into disabling security measures, facilitating undetected malware propagation within enterprise environments. The evolving threat landscape necessitates a combined approach using both Network Detection and Response (NDR) and Endpoint Detection and Response (EDR) to effectively identify and mitigate AI-driven threats. Security experts recommend integrating NDR and EDR systems to enhance visibility across networks, detect behavioral anomalies, and respond swiftly to emerging cyber threats. As AI continues to advance, organizations must adapt their defensive strategies to counter increasingly sophisticated cyber attacks, ensuring robust protection against evolving adversary tactics.

The Royal Navy deployed Oracle's AI-driven cloud edge infrastructure aboard HMS Prince of Wales during Operation Highmast, enhancing decision-making and operational learning across an eight-month mission. Oracle's Roving Edge Infrastructure, a ruggedized version of its cloud platform, facilitated AI operations directly on the vessel, supporting real-time data analysis and strategic insights. The AI platform, developed by Whitespace, is designed to accelerate the capture and utilization of institutional knowledge, aiding defense organizations in mission-critical operations. First Sea Lord Sir Gwyn Jenkins emphasized the importance of AI solutions in strengthening the UK's defensive capabilities, highlighting the strategic value of integrating advanced technologies. Despite the potential benefits, concerns persist regarding AI reliability, particularly issues like error-checking and the risk of generating false information, as seen in other AI applications. Oracle's significant investment in AI and data center infrastructure aims to attract developers and enterprise clients, although it has resulted in substantial financial liabilities. The initiative reflects a growing trend in military sectors to leverage AI for operational advantages, potentially setting a precedent for future defense technology integrations.

The UK government is progressing with plans for a digital ID system, aiming to develop it internally rather than outsourcing to external technology companies. Despite ongoing discussions, the government has not disclosed specific cost details, stating that expenses will be covered within existing budget allocations. The digital ID initiative will undergo a public consultation in February, which will influence cost estimations and implementation strategies. The scheme aims to provide robust digital verification processes, avoiding simple screen-based ID presentations, to enhance security and reliability. Digital ID will cater to individuals without smartphones, ensuring inclusivity through potential issuance of physical documents and a digital inclusion drive. The initiative could play a role in verifying eligibility for employment and may be linked to social media access restrictions for minors, pending legislative decisions. Government officials assert the digital ID is not equivalent to traditional ID cards, despite similarities in functionality and purpose.

The North Korean group Konni is using AI-generated PowerShell malware to target blockchain developers in Japan, Australia, and India, expanding beyond its usual targets. Known for targeting South Korea, Konni has been active since 2014 and is also tracked under various aliases such as Earth Imp and TA406. Recent campaigns involve spear-phishing emails with links disguised as legitimate Google and Naver ads, leading to the deployment of the EndRAT trojan. The group uses improperly secured WordPress sites for malware distribution and command-and-control, exploiting ad click redirection mechanisms. The campaign, named Operation Poseidon, impersonates North Korean human rights organizations and financial institutions to deceive targets. AI tools have been leveraged to create modular, well-documented PowerShell backdoors, indicating an effort to streamline and standardize malicious code. This activity aligns with broader North Korean cyber objectives, including financial theft and intelligence gathering, adapting tactics to meet strategic goals.

The Pwn2Own Automotive 2026 competition in Tokyo exposed 76 zero-day vulnerabilities across various automotive systems, including Tesla infotainment and EV chargers. Trend Micro's Zero Day Initiative awarded over $1 million to ethical hackers for successful exploitation demonstrations during the event. Fuzzware.io's team won the highest single-exploit payout of $60,000 for an out-of-bounds write vulnerability in the Alpitronic HYC50 EV charger. Synacktiv successfully compromised Tesla's infotainment system using a combination of an information leak and out-of-bounds write vulnerability. The event underscores the critical need for automotive vendors to swiftly address these vulnerabilities to ensure system security and consumer safety. The competition's findings emphasize the importance of continuous security assessments and proactive vulnerability management in the automotive industry.

1Password has introduced a feature to alert users of potential phishing risks through pop-up warnings, enhancing its digital vault and password manager's security measures. The new phishing protection feature aims to prevent users from entering credentials on malicious sites, particularly those using typosquatting techniques. This update is automatically enabled for individual and family plan users, while enterprise admins can activate it for employees via the 1Password admin console. A survey by 1Password revealed that 61% of respondents have been phished, and 75% do not verify URLs before clicking, highlighting the need for improved user awareness. The company notes that AI tools have increased the sophistication and volume of phishing attacks, making enhanced security features crucial in the current threat landscape. In corporate settings, compromised accounts can lead to lateral movement by threat actors, emphasizing the importance of robust phishing defenses. The survey also indicated a significant reliance on IT departments for phishing protection, with many users preferring to delete suspicious messages rather than report them.

1Password has integrated pop-up warnings for suspected phishing sites to prevent users from inadvertently sharing credentials with cybercriminals. This new feature aims to address the limitations of existing URL matching safeguards, which may not detect typosquatted domains. Users will receive alerts when visiting potentially malicious sites, prompting them to verify URLs before entering sensitive information. The feature is automatically enabled for individual and family plans, while enterprise admins can activate it for employees via the admin console. A survey by 1Password revealed 61% of respondents had been phished, and 75% do not routinely check URLs before clicking links. The rise of AI tools has increased the sophistication and volume of phishing attacks, making enhanced protection measures crucial. In corporate settings, password reuse and phishing attacks pose significant risks, with many employees mistakenly viewing phishing protection as solely an IT responsibility.

1Password has integrated phishing URL detection to alert users of potential threats, enhancing its password management service for enterprise and individual users. This new feature aims to prevent users from entering credentials on typosquatted or malicious domains, addressing a critical security gap. The phishing alert system will automatically activate for individual and family plan users, while enterprise admins can enable it via the admin console. A survey by 1Password revealed that 61% of respondents had been successfully phished, with many failing to check URLs before clicking. The proliferation of AI tools has increased the sophistication and volume of phishing attacks, prompting the need for advanced protective measures. In corporate environments, compromised credentials can lead to lateral movement across networks, emphasizing the importance of robust phishing defenses. The survey also indicated a significant portion of employees believe phishing protection is solely the IT department's responsibility, highlighting a need for broader security awareness.

Poland's energy grid faced a cyberattack in December 2025, attributed to the Russian state-sponsored group Sandworm, aiming to deploy destructive DynoWiper malware. Sandworm, linked to Russia's GRU, has a history of disruptive attacks, including a similar incident on Ukraine's energy grid a decade ago. The attack targeted two combined heat and power plants and a management system for renewable energy sources, according to Polish officials. DynoWiper, identified by ESET as Win32/KillFiles.NMO, is designed to render operating systems unusable by deleting files, necessitating system rebuilds or reinstalls. Polish Prime Minister Donald Tusk confirmed the attack's links to Russian services, emphasizing the geopolitical implications of such cyber activities. ESET provided limited technical details on DynoWiper, and no samples have been found on major malware submission platforms. Recommendations include reviewing Microsoft's February 2025 report on Sandworm for insights into defending against similar threats. Sandworm's recent activities also include attacks on Ukraine's education, government, and grain sectors, indicating a pattern of targeting critical infrastructure.