Daily Brief

Google has released updates for Chrome to fix four vulnerabilities, including CVE-2025-10585, which is being actively exploited in the wild. The zero-day flaw, CVE-2025-10585, is a type confusion issue found in the V8 JavaScript and WebAssembly engine. This marks the sixth zero-day vulnerability in Chrome exploited or demonstrated as a proof-of-concept in 2025. Google has not disclosed specific details on the exploitation methods or the threat actors involved. Organizations are urged to prioritize patching to mitigate potential risks associated with these vulnerabilities. The rapid exploitation of newly disclosed vulnerabilities highlights the need for accelerated patch management processes. Staying informed and agile in response to emerging threats is critical for maintaining security posture.

Stellantis, owner of brands like Chrysler and Jeep, reported a data breach through a third-party vendor, affecting its North American customer service operations. The breach exposed customer names and email addresses, but Stellantis confirmed no financial or sensitive information was compromised. Upon discovering the breach, Stellantis activated incident response protocols, notified law enforcement, and began informing affected customers to watch for phishing attempts. The automaker has not disclosed the number of affected individuals or the identity of the compromised vendor, maintaining a focus on customer protection. This incident coincides with broader industry challenges, as Jaguar Land Rover faces a major cyberattack disrupting global production and retail systems. The JLR attack, reportedly linked to ransomware, has led to halted production, supplier issues, and workforce impacts, highlighting vulnerabilities in supply chain logistics. The automotive sector's reliance on extensive supply chains and just-in-time logistics underscores the importance of robust cybersecurity measures and contingency planning.

Enterprises face growing challenges from non-human identities (NHIs), including service accounts and AI agents, which often operate with broad permissions and lack oversight. NHIs can outnumber human users significantly, creating potential security blind spots due to their automatic creation and lack of clear ownership. AI agents, unlike traditional machine identities, act autonomously, accessing sensitive data and APIs without adequate guardrails or lifecycle management. Security teams are urged to adopt a proactive governance approach, treating NHIs as critical identities requiring comprehensive inventory and management. Implementing an identity security fabric can consolidate identity management, reducing blind spots and enhancing response capabilities across diverse environments. Prioritizing risk-based privilege management and automating lifecycle processes can mitigate the risks associated with over-permissioned and orphaned NHIs. Organizations are encouraged to integrate modern identity platforms to manage NHIs effectively, ensuring robust security controls and minimizing the attack surface.

A verified game on Steam, Block Blasters, was used to steal over $150,000 from cryptocurrency wallets, affecting 261 to 478 users. The scam targeted individuals managing significant cryptocurrency amounts, identified through Twitter, and invited to download the malicious game. The game initially appeared safe but was later updated with a cryptodrainer component on August 30, compromising user accounts. Affected users included a Latvian gamer raising funds for cancer treatment, who lost $32,000 during a live fundraising event. Investigations revealed a batch script and Python backdoor used to collect Steam login details and upload them to a command and control system. Security researchers noted an operational security lapse by the attackers, exposing their Telegram bot code and tokens. Valve, the company behind Steam, has yet to respond to inquiries regarding the incident and potential preventive measures. Users are advised to reset Steam passwords and transfer digital assets to new wallets if they downloaded Block Blasters.

Lloyds Banking Group is integrating AI technologies while ensuring the protection of its 28 million customers' data, emphasizing security over rapid deployment of new models. The bank has banned developers from using AI model hosting platforms like Hugging Face to prevent potential cybersecurity threats from malicious models. Lloyds is actively implementing over 100 AI use-cases, including chatbots and document processing, to enhance both customer service and internal operations. Microsoft Co-Pilot and Google Gemini are key AI platforms deployed by Lloyds, aiding in digital transformation and operational efficiency. Despite the cautious approach to certain AI platforms, Lloyds remains committed to exploring AI's potential to reshape the banking experience. A recent paper by Lloyds reports that 60% of financial institutions have seen productivity improvements due to AI, highlighting its growing importance in the sector. The bank's strategic approach to AI adoption reflects a balance between innovation and security, ensuring customer trust and data integrity.

President Trump announced that a consortium, featuring Michael Dell and Larry Ellison, plans to acquire TikTok's US operations, aiming to address national security concerns. Oracle's cloud infrastructure, which already hosts TikTok's US traffic, will likely continue to support the app, ensuring data remains within American jurisdiction. The acquisition deal mandates majority US ownership, with six out of seven board seats occupied by US citizens, reinforcing control over TikTok's operations. While Michael Dell's specific role remains unclear, his involvement is suggested through BDT & MSD Partners, which invests on behalf of Dell and other investors. The acquisition aligns with US legal requirements for ByteDance to divest TikTok's US operations, potentially mitigating perceived security risks associated with foreign ownership. Speculation exists around the potential development of a Dell hyperscale sovereign SaaS platform, leveraging TikTok's infrastructure capabilities. The deal is seen as beneficial for US political discourse and economic interests, maintaining TikTok's connectivity with young voters and the broader American public.

Microsoft patched a critical vulnerability in Entra ID, previously known as Azure Active Directory, that allowed attackers to impersonate Global Administrators across tenants. The flaw, identified as CVE-2025-55241, received a CVSS score of 10.0, indicating its severe potential impact on global cloud security. Exploitation involved service-to-service tokens and a deprecated Azure AD Graph API, which failed to validate tenant sources, enabling unauthorized cross-tenant access. No evidence suggests the vulnerability was exploited in the wild before being addressed by Microsoft on July 17, 2025, requiring no action from customers. Successful exploitation could bypass multi-factor authentication and Conditional Access, potentially leading to full tenant compromise without detection. The issue underscores the critical need for organizations to migrate from deprecated APIs and maintain vigilance over cloud security configurations. This incident follows recent discoveries of cloud misconfigurations, emphasizing the broader risks associated with cloud infrastructure and the importance of proactive security measures.

Collins Aerospace experienced a cyber-related disruption affecting its ARINC cMUSE system, leading to delays and cancellations at European airports, including Brussels and Heathrow. The ARINC cMUSE system allows multiple airlines to share check-in desks and boarding gates, but manual check-in processes were required due to the disruption. In the U.S., severed fiber optic cables at Dallas Fort Worth International Airport caused significant delays, impacting FAA radar and communication systems. American Airlines reported a drastic reduction in flight departures from DFW, with only nine flights departing in a three-hour window compared to the usual 100 per hour. The FAA and contractors developed a workaround to release flights manually, though the process was slow and inefficient, leading to nearly 700 flight cancellations. The incidents reveal vulnerabilities in aviation technology infrastructure and emphasize the need for modernization to enhance system resilience and reliability. The FAA cited outdated infrastructure as a critical issue, stressing the importance of upgrading to digital systems to prevent future disruptions.

A ransomware attack in July 2025 compromised the French Natural History Museum's security, leading to a $705,000 gold heist. Thieves exploited the disabled alarm and surveillance systems, using tools to access the museum's mineral display section. The stolen gold nuggets, weighing six kilograms, are believed to have been melted, complicating recovery efforts. The FBI issued a warning about spoofed websites imitating its Internet Crime Complaint Center, aiming to collect personal data. ICE has contracted Magnet Forensics for software to unlock mobile devices, enhancing its investigative capabilities. French luxury brands Kering and Tiffany reported data breaches, with attackers accessing limited customer data but not financial information.

A vulnerability in Microsoft Entra ID, formerly Azure AD, could have enabled attackers to hijack any company's tenant globally, posing a severe security risk. The flaw involved undocumented "actor tokens" and a vulnerability in the Azure AD Graph API, identified as CVE-2025-55241, which allowed unauthorized access without detection. Exploitation of this flaw would grant attackers Global Admin privileges, enabling full control over the tenant's services and user impersonation. The actor tokens, used internally by Microsoft, lacked essential security controls, allowing impersonation of any user for up to 24 hours without revocation capability. Security researcher Dirk-jan Mollema discovered the flaw and reported it to Microsoft, which resolved the issue within nine days of notification. Microsoft has initiated the deprecation process for the Azure AD Graph API, with full discontinuation expected by September 2025, enhancing security measures. Organizations relying on Microsoft Entra ID should review their security configurations and monitor for unusual activities to mitigate potential risks.

North Korean threat actors are using ClickFix-style social engineering to deliver BeaverTail malware, targeting roles in cryptocurrency and retail sectors instead of software developers. The campaign, known as Contagious Interview, employs fake job assessments to distribute malware, marking a shift in targeting strategy and leveraging compiled binaries for broader system compatibility. BeaverTail, written in JavaScript, functions as an information stealer and downloader for the Python-based backdoor InvisibleFerret, with recent variants targeting fewer browser extensions. A fake hiring platform created using Vercel is used to lure victims, capturing IP addresses and deploying malware through deceptive technical error messages. The campaign reflects an adaptation to reach less technical targets, indicating a strategic expansion beyond traditional software developer targets to include marketing and trading roles. Investigations reveal that at least 230 individuals were targeted in early 2025 through fake cryptocurrency job interviews, with malware disguised as updates or utilities tailored to victims' systems. The attackers are actively refining their infrastructure, rapidly deploying new systems post-takedown, and leveraging cyber threat intelligence to enhance campaign resilience and effectiveness. This activity aligns with North Korea's historical attempts to gather threat intelligence, showcasing a tactical shift towards financially motivated operations alongside traditional espionage efforts.

The Royal Canadian Mounted Police (RCMP) has shut down TradeOgre, a cryptocurrency exchange, seizing over $40 million linked to suspected criminal activities. This action marks Canada's first closure of a crypto exchange by law enforcement and its largest asset seizure to date. TradeOgre was known for prioritizing user privacy, dealing in niche altcoins, and supporting Monero, a cryptocurrency favored for its anonymity. The platform did not comply with Canadian regulations, failing to register with FINTRAC or implement Know Your Customer (KYC) policies. The investigation, initiated by a Europol tip, began in June 2024, leading to the platform's shutdown in July, initially sparking exit scam suspicions. The RCMP acknowledged that not all seized cryptocurrencies may be linked to illegal activities, offering non-criminal users potential legal recourse. The case underscores the challenges of balancing privacy in cryptocurrency exchanges with compliance and anti-money laundering efforts.

LastPass has identified a campaign targeting macOS users through fake GitHub repositories distributing the Atomic infostealer malware, posing as legitimate tools. The campaign impersonates popular applications like 1Password, Dropbox, and Shopify, aiming to deceive users into downloading malicious software. Attackers use SEO poisoning to elevate malicious GitHub links in Bing and Google search results, directing users to download malware. The GitHub pages, created under multiple usernames, circumvent takedown efforts and redirect users to execute commands deploying the malware. The Atomic Stealer malware is delivered through ClickFix-style instructions, exploiting macOS Terminal to establish remote server connections. Similar tactics have been used in past campaigns, leveraging Google Ads and bogus repositories to distribute multi-stage droppers. Organizations are advised to enhance monitoring of repository activities and educate users on recognizing suspicious download prompts.

SentinelOne's SentinelLABS has identified MalTerminal, the earliest known malware integrating Large Language Model (LLM) capabilities, as presented at LABScon 2025. MalTerminal utilizes OpenAI's GPT-4 to dynamically generate ransomware or a reverse shell, marking a new category of LLM-embedded malware. The malware includes Python scripts and a Windows executable, suggesting its potential as a proof-of-concept or red team tool, with no confirmed wild deployment. Researchers noted the malware's use of a deprecated OpenAI API endpoint, indicating its creation before November 2023. LLM integration in malware represents a significant shift in cyber threat tactics, complicating detection and response efforts for cybersecurity teams. Concurrently, StrongestLayer reported advanced phishing techniques using LLMs to bypass AI security scanners, exploiting vulnerabilities like Follina (CVE-2022-30190). The rise in AI-driven cyber threats underscores the need for enhanced defensive strategies to counteract sophisticated adversary tactics.

Cybersecurity researchers identified a zero-click flaw in OpenAI's ChatGPT Deep Research agent, named ShadowLeak, potentially exposing Gmail inbox data through a single crafted email. The attack leverages indirect prompt injection hidden in email HTML, bypassing user detection, and exploiting OpenAI's cloud infrastructure to leak data. OpenAI addressed the vulnerability in August 2025 after responsible disclosure in June, highlighting the need for robust security measures in AI integrations. The flaw extends to any connector supported by ChatGPT, including Google Drive and Microsoft Outlook, significantly expanding the potential attack surface. Unlike previous client-side attacks, ShadowLeak operates within OpenAI's cloud, evading traditional security defenses and complicating detection efforts. The incident emphasizes the importance of securing AI systems against indirect prompt injections and maintaining vigilance in AI-driven environments. This case also underlines the necessity for continuous security assessments and red teaming to protect against evolving AI vulnerabilities.