Ghost Campaigns and Harbor Defaults: Why This Week’s Security News Should Make You Check Your Assumptions

You know that feeling when you think you’ve got everything locked down, and then reality comes knocking? This week’s security news is serving up a healthy dose of that reality check, with some particularly sneaky attack vectors that caught my attention.

The npm Ghost Campaign: When Install Logs Lie

Let’s start with the most creative attack I’ve seen in a while. Security researchers discovered what they’re calling the “Ghost Campaign” – a sophisticated npm supply chain attack that’s doing something I haven’t seen before: faking install logs to hide malicious activity.

Firefox Gets Free VPN While Attackers Perfect Their Social Engineering Game

It’s been quite a week in security news, and I wanted to share some thoughts on the stories that caught my attention. We’re seeing interesting developments on both the defensive and offensive sides – from Mozilla stepping up privacy protection to attackers getting increasingly creative with their delivery methods.

Mozilla Makes VPN Protection Mainstream

The biggest news for everyday users has to be Firefox’s new built-in VPN feature in version 149. Fifty gigabytes of monthly VPN traffic at no cost is genuinely impressive, especially when you consider that many people have never used a VPN at all.

FCC Drops the Hammer on Foreign Routers While Attackers Get Creative with Tax Season

Hey everyone – Emma here with some updates that caught my attention this week. We’ve got everything from sweeping policy changes to some pretty clever attack techniques that are worth discussing.

The Big Policy Move: FCC Says No More Foreign Routers

The biggest news this week is probably the FCC’s decision to ban all new consumer routers made outside the USA. They’ve updated their Covered List to include essentially any router manufactured in a foreign country, which is a pretty dramatic expansion from their previous approach of targeting specific companies or models.

TeamPCP’s Supply Chain Spree and the AI Security Blind Spot We All Missed

I’ve been tracking some concerning developments this week that highlight two major gaps in our security posture. While we’ve all been focused on traditional attack vectors, threat actors are exploiting both our software supply chains and our growing reliance on AI tools in ways that should make us all uncomfortable.

The TeamPCP Supply Chain Rampage Continues

TeamPCP is having quite the month. After successfully compromising Trivy and KICS, they’ve now set their sights on the popular LiteLLM Python package, and frankly, their execution is getting more sophisticated with each attack.

When Security Tools Become Attack Vectors: This Week’s Supply Chain Wake-Up Call

I’ve been following security news for years, but this week’s stories really highlight how creative attackers are getting with their targeting strategies. While everyone’s talking about the Crunchyroll breach affecting 6.8 million anime fans, the story that’s keeping me up at night is actually about Aqua’s Trivy vulnerability scanner getting compromised.

The Irony of Hacking Security Tools

Here’s what happened with Trivy: attackers managed to publish a malicious scanner release and actually replaced legitimate tags to point to information-stealer malware. Think about that for a second – security teams around the world are using vulnerability scanners to protect their infrastructure, and now those very tools are being weaponized against them.

TeamPCP’s Multi-Front Attack: When Wipers Meet Supply Chain Compromise

We’re seeing something interesting unfold this week that’s worth paying attention to. The TeamPCP hacking group has been making moves across multiple attack vectors simultaneously, and their latest campaign shows how threat actors are getting more sophisticated about targeting specific regions while compromising the tools we rely on daily.

The Kubernetes Wiper That Knows Geography

Let’s start with the most unusual piece: TeamPCP is deploying a wiper malware that specifically targets Iranian systems through Kubernetes clusters. What makes this particularly noteworthy isn’t just the geopolitical targeting—it’s the technical approach. The malicious script actually checks system configurations to identify Iranian infrastructure before wiping everything clean.

When Attackers Move Faster Than Our Coffee Break: The 22-Second Reality Check

I’ve been staring at some numbers from this week’s M-Trends report that honestly made me spill my coffee. We’re talking about initial access handoff times dropping to just 22 seconds. Twenty-two seconds. That’s barely enough time to realize something’s wrong, let alone do anything about it.

This isn’t just another “attackers are getting faster” story – it’s a fundamental shift that’s reshaping how we need to think about incident response and detection. When I started in security, we measured breach progression in hours or days. Now we’re down to seconds for that critical handoff from initial access brokers to the ransomware crews.

North Korean Hackers Target Developers While AI Security Gaps Widen

As someone who’s spent the last decade watching threat actors adapt their tactics, I have to admit the latest campaign from North Korean hackers caught my attention. They’re now weaponizing something most of us use daily: Visual Studio Code’s task automation features.

Developers in the Crosshairs

The group behind the “Contagious Interview” campaign (also tracked as WaterPlum) has been busy since December, distributing their StoatWaffle malware through malicious VS Code projects. What makes this particularly clever is their abuse of VS Code’s tasks.json files – those handy automation scripts that developers rely on to streamline their workflows.

Perseus Android Malware Targets Your Notes App While CISA Sounds Alarms on Multiple Exploited Vulnerabilities

You know that feeling when you realize attackers have found a new angle you hadn’t considered? That’s exactly what happened this week with the discovery of Perseus, a new Android malware that’s doing something I haven’t seen before – it’s specifically targeting users’ note-taking apps to steal sensitive information.

While we’ve all gotten pretty good at warning people not to store passwords in plain text files, how many of us have explicitly told users not to jot down crypto wallet recovery phrases or banking details in their phone’s notes app? The Perseus malware is betting that not many of us have had that conversation, and honestly, they’re probably right.

Russian APTs Target Ukrainian Infrastructure While Critical Flaws Hit Enterprise Networks

It’s been one of those weeks where the threat landscape feels particularly active, and I wanted to walk through some developments that caught my attention. We’re seeing a concerning mix of nation-state activity and critical enterprise vulnerabilities that deserve our immediate focus.

Russian Groups Double Down on Zimbra Attacks

The most troubling news comes from Ukraine, where Russian APT groups are actively exploiting a Zimbra vulnerability to target critical infrastructure. According to SecurityWeek, this isn’t your typical phishing campaign - they’re leveraging insufficient CSS sanitization in HTML emails to execute inline scripts when messages are opened in browsers.