🇫🇷 💰 France fined its national employment agency €5 million after a 2024 data breach exposed personal data of up to 43 million people. Hackers used social engineering to hijack adviser accounts and stole names, birth dates, national IDs, addresses, emails, and phone numbers. CNIL ordered fixes with daily fines if France Travail fails to comply.

🇺🇸 👟 Nike is investigating a possible cyber security incident after the World Leaks gang posted 1.4 TB of allegedly stolen files. The extortion group later removed Nike from its leak site, suggesting negotiations or a paid ransom, but Nike has not confirmed any theft. Independent verification of the leaked data has not been possible.

🎧 Hackers stole personal info from about 29.8 million SoundCloud accounts — The leaked data included emails, names, usernames, profile stats, and sometimes country. The ShinyHunters group extorted SoundCloud and later released the data.

🇺🇸 Crunchbase confirmed a data breach after hackers from the ShinyHunters group published files they say were stolen. The leaked data reportedly includes personal information, contracts, and corporate documents. ShinyHunters also claim attacks on SoundCloud and Betterment and may be linked to recent Okta vishing scams.

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🇨🇳 🗑 Google disrupted IPIDEA, a China-based residential proxy network, removing about 40% of its proxy devices. The takedown cut command-and-control links and storefronts but many devices still operate. Researchers warn the proxy industry is rapidly growing and often abused by criminals and state-backed groups.

🇺🇸 🇧🇬 🇮🇹 The U.S. Justice Department seized three popular Bulgarian-linked domains for distributing pirated movies, TV shows and games. Italian police also dismantled illegal IPTV services that streamed content from major providers and linked to a transnational crime group. Authorities said the operations used anonymization, crypto and fake companies to hide profits.

🇺🇸 🗑 The FBI seized the RAMP cybercrime forum and replaced its sites with a seizure notice. RAMP was a major hub where ransomware gangs promoted attacks and traded access. The seizure could expose user data and lead to arrests.

🇺🇸 🇨🇳 🧑‍⚖ A former Google engineer, Linwei (Leon) Ding, was convicted for stealing over 2,000 AI-related trade secret documents to benefit a China-linked startup. The stolen materials included designs for TPUs, GPUs, data center infrastructure, and software for AI supercomputers. He faces multiple espionage and theft charges and up to decades in prison.

🇰🇵 A North Korea–linked hacking group called Labyrinth Chollima has split into three focused groups: Labyrinth, Golden, and Pressure. The spin-offs specialize in espionage or large cryptocurrency thefts that fund the regime. CrowdStrike warns these groups share tools but have grown more capable and dangerous.

🇺🇸 🏧 The U.S. Justice Department charged 31 more people in a large ATM jackpotting scheme, bringing the total to 87. Many suspects are Venezuelan members of the Tren de Aragua gang, and Colombians were also indicted. They used Ploutus malware and physical tampering to make ATMs spit out cash and hide their tracks.

🇸🇰 🇺🇸 A Slovakian man, Alan Bill, pleaded guilty to helping run Kingdom Market, a darknet site that sold drugs, stolen data, fake IDs, and cybercrime tools. He was arrested in December 2023 with devices and crypto wallets linking him to the market. He faces at least five years in prison and must forfeit seized domain names and cryptocurrency.

📂 🤐 A six-month-old WinRAR flaw (CVE-2025-8088) is being actively exploited by both nation-state groups and cybercriminals. Attackers use a malicious RAR that drops malware silently without user interaction, making detection hard. Google urges updating WinRAR and provides indicators to help defenders.

💻 Security firm Silent Push says the ShinyHunters-linked group set up fake domains to target over 100 major organizations across many industries. Attackers used vishing and advanced phishing kits to intercept SSO credentials and bypass MFA in real time. Several companies have confirmed breaches and the group posted millions of allegedly stolen records.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

🇺🇸 🤖 The U.S. government wants other countries to adopt its AI cybersecurity standards — Officials will use diplomacy and industry guidance to promote secure AI practices. They will also push AI defenses and modernize federal networks.

🇺🇸 Wrongful-arrest — Two paid penetration testers were arrested in 2019 after testing security at an Iowa courthouse. They had written permission from the Iowa Judicial Branch to perform physical attacks like lockpicking. The county agreed to pay them $600,000 to settle their wrongful-arrest and defamation lawsuit.

🇺🇸 🤦‍♂ CISA’s acting director, Madhu Gottumukkala, uploaded sensitive “for official use only” contracting documents to the public ChatGPT, triggering automated security warnings. DHS is probing whether the uploads harmed government security; Gottumukkala had been given a temporary exception to use the tool. He previously failed a counterintelligence polygraph and CISA limited staff access to classified data after his appointment.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🤗 Researchers found an Android malware campaign using Hugging Face to host thousands of malicious APK variants. A fake “TrustBastion” dropper tricks users into installing a security app, then downloads a remote-access payload that steals credentials and abuses Accessibility Services. Hugging Face removed the datasets after being alerted; users should avoid sideloading apps and check app permissions.

🐍 🎠 Researchers found two fake PyPI spellchecker packages that hid a base64 payload delivering a Python remote access trojan (RAT). The malicious payload was stored in a Basque dictionary file and was triggered when the package was imported, affecting over 1,000 downloads. The campaign resembles prior supply-chain attacks and highlights risks from typosquatting and AI-driven fake package references.

🧩 Security researchers found at least 16 malicious Chrome extensions that steal ChatGPT session tokens and other credentials. The extensions inject scripts to capture authorization data and send it to attackers. Downloads are low now, but researchers warn the threat could grow quickly.

⚒ 🌐 A new malware toolkit called Stanley lets attackers show fake web pages while the browser’s address bar still shows the real site. It can be sold as a service for $2,000–$6,000 and even promises publication on the Chrome Web Store. Infected browser extensions can push phishing pages and notifications to steal credentials without users noticing.

🎣 🇮🇳 Researchers found a phishing campaign in India using fake Income Tax Department emails to deliver malware. The attack sideloads a malicious DLL, escalates privileges, and installs Blackmoon and a repurposed SyncFuture RMM tool for spying. The attackers gain persistent access to monitor users and steal data while evading antivirus.

💰 💰 Illegal crypto flows jumped to a record $158 billion in 2025, reversing prior declines. TRM Labs says the rise was driven by sanctions-linked state actors, big hacks, and more sophisticated scams. Ransomware payments fell slightly, but laundering shifted to bridges and cross-chain methods.

🔓 Researchers found 175,000 publicly exposed Ollama AI hosts across 130 countries. Many of these systems allow tool-calling and run outside normal security controls, creating high-risk attack surfaces. Threat actors are already exploiting exposed endpoints for LLMjacking and resale.

💬 🔐 WhatsApp is adding a "Strict Account Settings" feature to block risky content from people not in your contacts. It aims to protect high-risk users like journalists from spyware attacks. The feature will roll out soon and can be enabled in Settings > Privacy > Advanced.

📱 🫣 Samsung teased a new privacy feature that hides parts of your Galaxy phone screen from onlookers. Users can customize it for apps, notifications, or when entering passcodes. The feature likely arrives on the Galaxy S26 Ultra and uses hardware and software to block side views.

📱 🤖 Google is adding stronger anti-theft features to Android phones, especially for Android 16 and up. New controls include easier toggles for Failed Authentication Lock, longer lockout times after wrong PINs, wider biometric protections, and a tougher Remote Lock. In Brazil, Theft Detection Lock and Remote Lock will be turned on by default.

🇪🇺 🔎 The EU has opened a formal probe under the Digital Services Act into X after its Grok AI generated sexually explicit and possibly child sexual abuse images. Regulators in the UK and California are also investigating and have questioned X’s safety and data practices. X later limited Grok’s image features to paid users amid criticism and a prior €120M DSA fine.

→ Undressed victims file class action lawsuit against xAI for Grok deepfakes

➝ From the Patching Department:

🔓 🌩 Two vulnerabilities in the n8n workflow platform could let attackers run code remotely. They bypassed AST-based sandboxes for JavaScript and Python, allowing full takeover of affected instances. Fixes were released in the listed n8n versions.

🔓 A critical vulnerability (CVE-2026-22709) in the vm2 Node.js sandbox lets attackers escape the sandbox and run code on the host. The bug stems from improper sanitization of global Promise callbacks and was fixed across versions 3.10.1–3.10.3. Users should upgrade to the latest vm2 release immediately.

🔓 A critical bug in Grist‑Core called Cellbreak (CVE‑2026‑24002) lets malicious spreadsheet formulas escape Pyodide's sandbox and run code on the host. The flaw can give attackers filesystem access, credentials, and the ability to run OS or JavaScript commands. Update Grist to 1.7.9 or switch the sandbox to gvisor to mitigate the risk.

🇷🇺 🇵🇱 A Russian state-linked group called ELECTRUM is tied to a coordinated December 2025 cyber attack on Poland's power grid — Attackers breached control and communication systems at about 30 distributed energy sites and disabled some equipment beyond repair. Dragos says ELECTRUM worked with an access-focused cluster (KAMACITE) to move from IT into OT and target grid systems.

🐛 🔓 A study of 100+ substations and power plants found widespread cybersecurity and operational gaps that leave energy systems exposed. Common issues included unpatched devices, weak network segmentation, undocumented external connections, and poor asset inventories. Organizational problems like IT/OT silos and lack of OT security staff make these risks worse.

🚪 🔓 Researchers found over 20 vulnerabilities in Dormakaba door access systems that could let attackers unlock doors, steal PINs, or escalate attacks. The flaws included hardcoded keys, weak passwords, missing authentication, and exposed systems — some of which were internet-accessible. Dormakaba has been patching systems and working with customers, and says it knows of no real-world exploits so far.

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.