Daily Brief

Coinbase suffered a data breach orchestrated by cyber criminals who bribed internal customer support agents in India, leading to unauthorized data access. The attackers copied account data of less than 1% of Coinbase's 9.7 million monthly users to potentially deceive them into transferring cryptocurrency. The threat actors attempted to extort $20 million from Coinbase by threatening to release sensitive customer and internal information. No critical data such as passwords, private keys, or customer funds were compromised, and Coinbase Prime accounts remained secure. Coinbase has terminated the employment of the involved customer agents and is taking measures to reimburse affected customers. Enhanced security measures, including additional ID checks for large withdrawals and strengthened defenses against insider threats, are being implemented. Coinbase has announced a $20 million reward for information leading to the arrest and conviction of the responsible parties. Customers are advised to enhance security by enabling withdrawal allow-listing, two-factor authentication, and remaining vigilant against impostors.

Researchers identified a malicious NPM package named 'os-info-checker-es6' that employs Unicode steganography to conceal command-and-control links within Google Calendar events. Originally benign when added to NPM on March 19, the package began incorporating malicious elements in subsequent updates, significantly changing by May 7 to include sophisticated malware delivery mechanisms. The package, downloaded over 1,000 times, mimics a utility tool while secretly acting as a malware vector, impacting multiple users. 'os-info-checker-es6' is linked as a dependency in four other questionable NPM packages that pose as accessibility and development tools, potentially expanding its reach. The complex attack involves fetching a base64-encoded URL obscured within a Google Calendar event, which then directs to the actual malicious payload. Despite discoveries and reporting by Veracode, the harmful NPM packages remain available for download, posing ongoing risks to unsuspecting developers. The incident underscores the need for increased vigilance and robust security measures within software development environments, particularly in package management ecosystems.

Last spring, significant data breaches at Snowflake impacted major clients like Ticketmaster and Santander, involving unauthorized data access through exposed customer credentials. The breaches affected hundreds of millions and were facilitated by the misuse of stolen user credentials lacking multi-factor authentication—highlighting gaps in the shared responsibility security model. Snowflake’s CISO, Brad Jones, emphasized a shift from a shared responsibility model to a "shared destiny" model, strengthening proactive partnerships with customers to enhance security. Following the incidents, Snowflake mandated multi-factor authentication by default for new accounts and planned the phased elimination of single-factor password logins by November 2025. To further secure customer data, Snowflake implemented uniform security controls, private networking options, default encryption, and a service to detect and lock accounts with compromised credentials found on the dark web. The CISO highlighted new security challenges, particularly with AI, stressing the importance of adapting security measures rapidly in response to AI's evolving risks and capabilities. Microsoft’s three-phase model for agentic AI development, from basic chatbots to independent operation, presents new governance and security considerations. Snowflake’s approach now focuses on enabling business needs securely, reflecting the improv rule of "yes, and" to integrate necessary controls without stifling innovation.

Coinbase disclosed a significant data breach involving compromised customer information including government IDs, organized with the help of rogue overseas support agents. Cybercriminals demanded a $20 million ransom to avoid public release of the data, which Coinbase refused to pay, instead establishing a reward fund of equal amount to find the perpetrators. No customers' private keys or passwords were stolen, and Coinbase Prime accounts and wallets remain secure. Coinbase terminated the employment of the involved insiders who facilitated unauthorized access to the systems. The breach has potential financial implications estimated between $180 million and $400 million, mainly for remediation and customer compensations for those deceived into sending funds to attackers. The company plans to open a new U.S.-based support hub and increase investments in security measures, including insider-threat detection and automated response systems. Coinbase urges customers to use two-factor authentication and be cautious of scammers impersonating company employees.

Researchers discovered a malicious npm package named "os-info-checker-es6" which initially posed as a benign utility but later included malware. The package, camouflaging malicious content with invisible Unicode characters and using Google Calendar links, was downloaded over 1,000 times. Introduced to the npm in March with a benign intent, it later received updates adding malwares and complex command-and-control mechanisms. This package, alongside four others it's listed as a dependency for, leverage developer tools aesthetics to mask underlying harmful activities. The malicious code is hidden using Unicode steganography by embedding invisible characters that lead to a Google Calendar URL hosting malware. After redirections to finally achieve an HTTP 200 OK, a base64-encoded URL is scraped and decoded to deliver the final malware payload. Despite the payload not being retrievable at the time of research, this indicates either an early stage or a temporary pause in the attack campaign. Following Veracode's discovery and report to npm regarding the suspicious packages, the packages were still live on the platform.

Annual penetration tests are insufficient due to rapid developments and new vulnerabilities in software updates. Compliance frameworks like PCI DSS and HIPAA guide security but do not ensure vulnerability protection post-assessment. Continuous security testing is crucial to identify and fix new vulnerabilities before they are exploited by attackers. Strategic pen testing incorporates regular tests, integration with other security measures, and customization based on specific threats. Resource constraints and lack of qualified personnel hinder effective penetration testing implementation in many organizations. A cultural shift in organizations toward continuous testing and proactive risk management is necessary for improved security. Combining External Attack Surface Management (EASM) and Penetration Testing as a Service (PTaaS) can optimize security effectiveness. Outpost24's CyberFlex offers integrated solutions for continuous, flexible testing tailored to specific business needs.

Ransomware has become more sophisticated, leveraging legitimate IT tools and services such as Ransomware-as-a-Service (RaaS) to conduct widespread attacks. Microsoft reported misuse of its Quick Assist tool for deploying Black Basta ransomware, highlighting the evolving tactics of cybercriminals. The economic impact of ransomware could escalate to $275 billion annually by 2031, with attacks predicted to occur every 2 seconds. A robust business continuity and disaster recovery (BCDR) strategy, including the upgraded 3-2-1-1-0 backup rule, is critical for organizational resilience against ransomware. Immutable and isolated backups, continuous backup monitoring, and regular restore testing are paramount to ensure data integrity and recovery capabilities. Enhancing backup systems with anomaly detection and integrating them with security operations can expedite threat detection and response. Regular employee training on cyber hygiene and proactive threat reporting can further fortify the first line of defense against ransomware. Incorporating comprehensive BCDR solutions like Datto can streamline the implementation of these strategies and bolster overall ransomware preparedness.

A Russia-linked hacking group, APT28, exploited webmail software vulnerabilities to conduct cyber espionage, primarily against Eastern European governmental and defense entities. The campaign, named Operation RoundPress by ESET, began in 2023, utilizing cross-site scripting (XSS) attacks, including a zero-day vulnerability in MDaemon. Targets expanded globally, including governmental bodies in Africa, Europe, and South America, with a focus on harvesting email communication and sensitive data. Besides MDaemon, the XSS flaws exploited were found in other popular webmail platforms such as Horde, Roundcube, and Zimbra. The CVE identifier CVE-2024-11182 (MDaemon zero-day) and other related vulnerabilities in different platforms were patched, highlighting the importance of timely software updates. The malware used in the attacks, dubbed SpyPress, had capabilities like stealing credentials, emails, contact information, and maintaining access via Sieve rules in Roundcube. US CISA added CVE-2023-43770 associated with Roundcube to its Known Exploited Vulnerabilities catalog, underlining the severity and attention these exploits have garnered.

A malicious npm package named "os-info-checker-es6" was found using Unicode steganography and Google Calendar to drop payloads. "Os-info-checker-es6" mimics an operating system info tool to facilitate the installation of further malicious code undetected. Utilizes a Google Calendar event link with a Base64-encoded title that points to a remote C2 server, increasing difficulty in blocking the attack. The package was first uploaded on March 19, 2025, and has been downloaded over 2,000 times. No significant malicious activities were noted in the first five versions of the package; changes began appearing in later versions from May 7, 2025. Another npm package by the same developer, implying potential links in a broader malicious campaign. Security experts suggest combining behavioral analysis, static and dynamic testing, and thorough validation of third-party packages to combat such threats. The overview was part of a broader analysis detailing emerging cyber threats in software supply chains in the first half of 2025.

Google has released updates to fix a high-severity vulnerability in Chrome that could potentially lead to account takeovers. The flaw (CVE-2025-4664) was publicly exploitable and found in Chrome’s Loader component allowing cross-origin data leakage through malicious HTML pages. The vulnerability was first reported by a Solidlab security researcher and relates to the improper enforcement of referrer-policy in HTTP headers. Exploitation of this vulnerability could expose sensitive user data, such as OAuth query parameters, which might lead to unauthorized account access. Patches have been issued for desktop versions of Chrome (136.0.7103.113 for Windows/Linux and 136.0.7103.114 for macOS). Google encourages users to update their browser immediately to the latest patched version or allow Chrome to automatically install updates. The company had previously addressed a Chrome zero-day vulnerability earlier in the year used in targeted attacks against Russian entities. Google’s proactive patching approach continues as a response to the increasing number of zero-day vulnerabilities being exploited.

DragonForce, a ransomware-as-a-service (RaaS) group, began its operations in August 2023 and has since claimed 158 victims including major retailers like Marks & Spencer. The group explicitly prohibits attacks on targets within the Commonwealth of Independent States, particularly emphasizing a no-attack policy on Russia and its allies. In March, DragonForce rebranded as a "cartel," enabling affiliates to use its infrastructure for deploying ransomware beyond the group's proprietary code. The FBI identified DragonForce as one of the most prolific ransomware sources in 2024, highlighting the significant threat posed by their expansive affiliate network. Despite speculations, there is no conclusive evidence linking DragonForce to Russia, although it operates on multilingual forums including Ramp, thought to be managed in Russia. DragonForce has set ethical boundaries by warning affiliates against targeting hospitals with critical care units, threatening punishment for violations. The groups’ operating model not only democratizes ransomware deployment but potentially increases its visibility and risk of law enforcement intervention.

Google has issued updates for Chrome to address a high-severity vulnerability allowing cross-origin data leaks. Identified as CVE-2025-4664, the security flaw was exploited in the wild, with a CVSS score of 4.3. The vulnerability results from insufficient policy enforcement related to the Loader component in versions prior to 136.0.7103.113. Attackers could exploit this issue by setting the referrer-policy to "unsafe-url" in the Link header, enabling them to capture full query parameters. These parameters could include sensitive information potentially leading to account takeovers. Security expert Vsevolod Kokorin first detailed this vulnerability, highlighting the unique risk in Chrome compared to other browsers. Users are urged to update their Chrome browsers immediately, and other Chromium-based browsers should follow suit as updates become available. This is the second Chrome vulnerability reported this year that has been actively exploited.

Nucor, the largest U.S. steel manufacturer, temporarily shut down production after a cyber intrusion was detected on its servers. The company filed an 8-K with the SEC revealing that specific IT systems were compromised, prompting shutdowns at some facilities. Third-party security experts and law enforcement have been engaged to investigate the incident. The nature of the cyberattack and specifics about the affected facilities remain undisclosed. The attack on Nucor underscores the vulnerability of critical infrastructure in the U.S. to both nation-state actors and ransomware groups. Nucor is in the process of restarting operations, though details about the recovery’s timeline are not provided. Previous incidents, like the Colonial Pipeline cyberattack, highlight the potentially severe consequences and motivations behind targeting major U.S. infrastructure.

Google is updating Chromium to increase security by preventing Chrome from running as an administrator in Windows. This change echoes a security feature first introduced by Microsoft for the Edge browser in 2019, which originally warned users against launching with elevated permissions. The updated feature will automatically "de-elevate" Chrome's permissions if an attempt is made to launch it with administrative rights. Microsoft's involvement in the Chromium project has facilitated the addition of this security feature, which was based on their experiences with Edge. There's an added command-line switch to prevent potential infinite loops caused by the automatic de-elevation process. Running Chrome with administrative rights exposes the system to significant risks, as malicious downloads would also inherit elevated permissions, potentially leading to full system compromise. The de-elevation feature does not affect Chrome processes initiated in automation mode to allow compatibility with necessary automated tools.

Google Threat Intelligence Group reports that the Scattered Spider hacking group is now targeting US retail companies with ransomware and extortion operations. These attacks follow a pattern of sector-focused campaigns by the group, which has a history of launching successful cyberattacks on retail chains in the UK, including Marks & Spencer. The DragonForce ransomware, used in these attacks, was first seen in action against VMware ESXi hosts, attributing major disruptions within affected organizations. US retailers are advised to bolster cybersecurity defenses in response to these emerging threats, as indicated by the recent guidance from the UK National Cyber Security Centre (NCSC) following similar occurrences. Scattered Spider is known for utilizing sophisticated social engineering tactics, including phishing and SIM swapping, to breach high-profile targets and facilitate ransomware deployment. The collective nature of Scattered Spider complicates efforts to track and predict their activities, making them highly effective against even well-protected networks. The NCSC has yet to formally attribute the recent UK retail attacks to any specific group or coordinated campaign, underlining the ongoing investigations and the need for increased vigilance against such threats.