Attackers Get Creative: From Job Scams to Dead Drops on the Blockchain

You know how we’re always telling people that attackers are getting more sophisticated? Well, this week’s news really drives that point home. We’re seeing everything from cybercriminals abusing legitimate no-code platforms to using cryptocurrency blockchains as command-and-control infrastructure. Let me walk you through what’s been happening.

When Legitimate Tools Become Attack Vectors

The most interesting development this week involves threat actors abusing Bubble’s AI app builder platform to create convincing Microsoft credential phishing sites. If you’re not familiar with Bubble, it’s a legitimate no-code platform that lets people build web applications without traditional programming skills.

PolyShell Attacks Hit Majority of Vulnerable Magento Stores as Identity Theft Reaches Industrial Scale

We’re seeing some concerning patterns emerge this week that highlight just how quickly attackers can scale their operations when they find the right targets. The most immediate threat hitting e-commerce businesses is the ongoing PolyShell campaign, which has already compromised 56% of all vulnerable Magento stores – a staggering success rate that should have every online retailer checking their patch status right now.

Ghost Campaigns and Harbor Defaults: Why This Week’s Security News Should Make You Check Your Assumptions

You know that feeling when you think you’ve got everything locked down, and then reality comes knocking? This week’s security news is serving up a healthy dose of that reality check, with some particularly sneaky attack vectors that caught my attention.

The npm Ghost Campaign: When Install Logs Lie

Let’s start with the most creative attack I’ve seen in a while. Security researchers discovered what they’re calling the “Ghost Campaign” – a sophisticated npm supply chain attack that’s doing something I haven’t seen before: faking install logs to hide malicious activity.

Firefox Gets Free VPN While Attackers Perfect Their Social Engineering Game

It’s been quite a week in security news, and I wanted to share some thoughts on the stories that caught my attention. We’re seeing interesting developments on both the defensive and offensive sides – from Mozilla stepping up privacy protection to attackers getting increasingly creative with their delivery methods.

Mozilla Makes VPN Protection Mainstream

The biggest news for everyday users has to be Firefox’s new built-in VPN feature in version 149. Fifty gigabytes of monthly VPN traffic at no cost is genuinely impressive, especially when you consider that many people have never used a VPN at all.

FCC Drops the Hammer on Foreign Routers While Attackers Get Creative with Tax Season

Hey everyone – Emma here with some updates that caught my attention this week. We’ve got everything from sweeping policy changes to some pretty clever attack techniques that are worth discussing.

The Big Policy Move: FCC Says No More Foreign Routers

The biggest news this week is probably the FCC’s decision to ban all new consumer routers made outside the USA. They’ve updated their Covered List to include essentially any router manufactured in a foreign country, which is a pretty dramatic expansion from their previous approach of targeting specific companies or models.

TeamPCP’s Supply Chain Spree and the AI Security Blind Spot We All Missed

I’ve been tracking some concerning developments this week that highlight two major gaps in our security posture. While we’ve all been focused on traditional attack vectors, threat actors are exploiting both our software supply chains and our growing reliance on AI tools in ways that should make us all uncomfortable.

The TeamPCP Supply Chain Rampage Continues

TeamPCP is having quite the month. After successfully compromising Trivy and KICS, they’ve now set their sights on the popular LiteLLM Python package, and frankly, their execution is getting more sophisticated with each attack.

Supply Chain Attackers Target Developer Security Tools While Critical PLM Bug Demands Immediate Action

The past week has brought some unsettling news that really drives home how our threat landscape keeps shifting in unexpected ways. We’re seeing attackers go after the very tools we use to secure our code, while a critical RCE vulnerability in widely-used enterprise software is demanding immediate attention from security teams.

TeamPCP Goes After Our Security Tools

Here’s something that should make us all pause: the TeamPCP threat group has been systematically targeting popular security and development tools that many of us rely on daily. According to Dark Reading, they’ve hit Trivy, Checkmarx’s KICS code scanner, VS Code plugins, and the LiteLLM AI library.

TeamPCP’s Multi-Front Attack: When Wipers Meet Supply Chain Compromise

We’re seeing something interesting unfold this week that’s worth paying attention to. The TeamPCP hacking group has been making moves across multiple attack vectors simultaneously, and their latest campaign shows how threat actors are getting more sophisticated about targeting specific regions while compromising the tools we rely on daily.

The Kubernetes Wiper That Knows Geography

Let’s start with the most unusual piece: TeamPCP is deploying a wiper malware that specifically targets Iranian systems through Kubernetes clusters. What makes this particularly noteworthy isn’t just the geopolitical targeting—it’s the technical approach. The malicious script actually checks system configurations to identify Iranian infrastructure before wiping everything clean.

Supply Chain Attacks Are Getting Smarter: The Trivy Incident Shows How Attackers Are Targeting Our Tools

We’ve all been there – rushing to implement security tools in our CI/CD pipelines, confident we’re doing the right thing. But what happens when the very tools we trust to protect us become the attack vector? That’s exactly what happened with Trivy, and it’s a wake-up call we all need to hear.

When Security Tools Become Attack Vectors

A threat actor recently managed to weaponize Trivy, the popular open-source security scanner, turning it into an infostealer that targets CI/CD workflows. Think about that for a moment – they didn’t just compromise a random application or service. They went after a tool specifically designed to find vulnerabilities, knowing that security-conscious teams would be using it in their most sensitive environments.

North Korean Hackers Target Developers While AI Security Gaps Widen

As someone who’s spent the last decade watching threat actors adapt their tactics, I have to admit the latest campaign from North Korean hackers caught my attention. They’re now weaponizing something most of us use daily: Visual Studio Code’s task automation features.

Developers in the Crosshairs

The group behind the “Contagious Interview” campaign (also tracked as WaterPlum) has been busy since December, distributing their StoatWaffle malware through malicious VS Code projects. What makes this particularly clever is their abuse of VS Code’s tasks.json files – those handy automation scripts that developers rely on to streamline their workflows.