Device Code Phishing Explodes 37x While LinkedIn Quietly Scans Your Browser Extensions

Page content

Device Code Phishing Explodes 37x While LinkedIn Quietly Scans Your Browser Extensions

I’ve been tracking some concerning developments this week that really highlight how attackers are getting more creative while legitimate companies push privacy boundaries. Let’s dig into what’s happening and why it matters for our day-to-day security work.

The Device Code Phishing Surge We Should Have Seen Coming

The biggest story catching my attention is the 37x surge in device code phishing attacks. If you’re not familiar with this technique, attackers are abusing OAuth 2.0’s Device Authorization Grant flow - you know, that legitimate feature that lets you authenticate smart TVs and other devices by entering a code on your phone.

What makes this particularly nasty is how it exploits user trust. The victim gets what looks like a legitimate device authentication request, enters the code, and boom - the attacker now has access to their accounts. The fact that attack kits are spreading online means we’re going to see this technique democratized among less sophisticated threat actors.

From a defense perspective, this is tricky because the OAuth flow itself is legitimate. We need to start thinking about user education around device code requests and potentially implementing additional verification steps for sensitive applications. Have you seen any of these attacks in your environment yet?

When Former Enemies Become Friends: CrowdStrike and Microsoft

Here’s something I didn’t expect to write about - CrowdStrike’s Falcon platform can now ingest Microsoft Defender telemetry. Apparently, a shared interest in Formula 1 helped thaw what had been a pretty fierce rivalry between the two companies.

This is actually huge for those of us managing hybrid environments. Instead of fighting with data silos between different security tools, we can now get a more unified view of endpoint activity. The integration means better correlation capabilities and potentially fewer blind spots in our monitoring.

I’m curious to see how this plays out in practice. Microsoft has been pretty aggressive about promoting their own security stack, so this collaboration suggests they’re recognizing that customers want choice and interoperability, not vendor lock-in.

React2Shell: When Automation Meets Credential Harvesting

The React2Shell exploitation campaign shows just how effective automated attacks have become. Attackers used automated scanning with something called the Nexus Listener collection framework to compromise over 750 systems.

What’s particularly concerning is the scale and speed here. This isn’t a targeted attack - it’s industrial-scale credential harvesting. The automation allows attackers to cast a wide net and quickly identify vulnerable systems running React applications with this specific vulnerability.

If you’re running React applications, this should be a wake-up call to review your patching cadence and consider implementing additional monitoring for unusual authentication patterns.

LinkedIn’s Secret Browser Surveillance

Now here’s something that really bothers me from a privacy perspective. LinkedIn is secretly scanning for over 6,000 Chrome extensions and collecting device data through hidden JavaScript. They’re calling it “BrowserGate,” which feels appropriate.

This kind of behavior from a major platform is problematic on multiple levels. First, there’s the obvious privacy violation - users aren’t being informed about this data collection. Second, it creates a security risk by normalizing invasive browser scanning techniques that malicious actors could easily adopt.

From our perspective as security professionals, this highlights why we need to be more aggressive about monitoring outbound data from corporate networks and educating users about what legitimate websites should and shouldn’t be doing.

The $285 Million, 10-Second Heist

Finally, we have another reminder of why cryptocurrency security is so challenging. North Korean hackers drained $285 million from Drift in just 10 seconds, taking over an admin key and emptying five vaults with pre-prepared infrastructure and nonce-based transactions.

The speed here is what gets me. Ten seconds from compromise to complete drainage. This wasn’t a smash-and-grab - it was a carefully orchestrated operation with infrastructure prepared in advance. The attackers clearly understood the target’s architecture well enough to execute multiple simultaneous transactions.

This reinforces why traditional incident response timelines don’t work in the crypto space. By the time you detect the breach, the money is already gone and essentially unrecoverable.

What This Means for Us

These stories paint a picture of an attack landscape where automation is king and the line between legitimate business practices and invasive surveillance continues to blur. We need to adapt our defenses accordingly - better user education, faster detection capabilities, and a more critical eye toward the tools and platforms we trust.

The good news is that we’re also seeing more collaboration between security vendors, which should help us build more comprehensive defense strategies.

Sources