When JavaScript Worms Wake Up and Crypto Contractors Go Rogue

You know those moments when you think you’ve seen it all in cybersecurity, and then the universe serves up a fresh reminder that there’s always something new? This week delivered exactly that kind of reality check.

The Great Wikipedia Woodpecker Incident

Let’s start with what might be the most unexpectedly charming security story I’ve encountered in years. A security engineer at Wikipedia was doing routine work when they accidentally triggered a JavaScript worm that had been dormant since 2024. Within minutes, the entire site was plastered with giant woodpecker images.

Now, before you start laughing too hard (though honestly, the mental image is pretty great), this incident highlights something we should all be paying attention to. Dormant malware doesn’t always stay dormant, and sometimes the most innocuous actions can trigger unexpected consequences. The fact that this worm survived undetected for nearly two years in Wikipedia’s infrastructure should make all of us think twice about our own environments.

What I find particularly interesting is how quickly it spread once activated. This suggests the original payload was well-designed for persistence and rapid propagation – classic characteristics of sophisticated malware, even if the ultimate payload turned out to be more amusing than destructive.

The $46 Million Telegram Confession

Speaking of things that should make us think twice, we have what might be the most spectacularly stupid cybercrime story of the year. A crypto contractor working with the US Marshals Service to manage seized digital assets allegedly decided to help himself to $46 million worth of those assets. The kicker? He then bragged about it on a recorded Telegram call.

This case perfectly illustrates why insider threat programs exist and why they’re so critical. When you’re dealing with high-value digital assets, the traditional “trust but verify” approach needs to lean heavily on the verification side. The contractor had legitimate access to these systems – that’s what made the theft possible in the first place.

From a technical standpoint, this incident raises questions about monitoring and controls around cryptocurrency management. Digital assets present unique challenges because transactions can be irreversible and pseudonymous, making them particularly attractive targets for insider threats.

Healthcare Under Siege in the Pacific

Moving to more serious territory, the INC ransomware group has been systematically targeting healthcare infrastructure across Australia, New Zealand, and Tonga. Government agencies, emergency clinics, and other critical services have been hit, and the impact on patient care has been significant.

What’s particularly concerning about this campaign is the geographic coordination. Targeting healthcare systems across multiple countries in Oceania suggests a level of planning and resource allocation that goes beyond opportunistic attacks. INC appears to be deliberately choosing targets that are likely to pay quickly due to the life-critical nature of their services.

Healthcare organizations in this region – and honestly, everywhere – need to take a hard look at their backup and recovery capabilities. When ransomware hits a hospital, you’re not just talking about business continuity; you’re talking about life and death decisions. The attackers know this, and they’re counting on it to pressure victims into paying.

WhatsApp’s Parental Controls: Security by Design

On a more positive note, WhatsApp’s introduction of parent-managed accounts for pre-teens represents a thoughtful approach to balancing communication needs with safety concerns. Parents can control who can contact their children and which groups they can join – features that address real safety issues without being overly restrictive.

From a security perspective, this is interesting because it implements access controls at the social level rather than just the technical level. The real threats to children on messaging platforms often come from social engineering and inappropriate contact, not necessarily technical vulnerabilities in the app itself.

New Leadership at NSA and Cyber Command

Finally, the Senate’s confirmation of Joshua Rudd to lead both NSA and US Cyber Command continues the “dual-hat” leadership structure that’s been in place for years. For those of us in the private sector, this leadership appointment matters because these organizations increasingly work closely with industry on threat intelligence sharing and incident response.

The dual-hat arrangement has always been somewhat controversial – managing both offensive and defensive cyber capabilities under one leader creates interesting dynamics. But given the interconnected nature of modern cyber threats, having coordinated leadership probably makes more sense than splitting the roles.

The Bigger Picture

What strikes me about this week’s stories is how they illustrate the full spectrum of cybersecurity challenges we’re dealing with. From amusing accidents that reveal serious persistence issues, to brazen insider threats, to coordinated international attacks on critical infrastructure – it’s all happening simultaneously.

The common thread? Human behavior remains the wild card in all our security calculations. Whether it’s an engineer accidentally triggering dormant malware, a contractor stealing millions while bragging about it, or attackers choosing targets based on their likelihood to pay ransoms, people are still the most unpredictable element in any security equation.

Sources

• Smashing Security podcast #458: How not to steal $46 million from the US government
• INC Ransomware Group Holds Healthcare Hostage in Oceania
• WhatsApp introduces parent-managed accounts for pre-teens
• Senate Confirms Joshua Rudd to Lead NSA and US Cyber Command