With the popularity of AI coding tools rising among some software developers, their adoption has begun to touch every aspect of the process, including the improvement of AI coding tools themselves.

In interviews with Ars Technica this week, OpenAI employees revealed the extent to which the company now relies on its own AI coding agent, Codex, to build and improve the development tool. “I think the vast majority of Codex is built by Codex, so it’s almost entirely just being used to improve itself,” said Alexander Embiricos, product lead for Codex at OpenAI, in a conversation on Tuesday.

Codex, which OpenAI launched in its modern incarnation as a research preview in May 2025, operates as a cloud-based software engineering agent that can handle tasks like writing features, fixing bugs, and proposing pull requests. The tool runs in sandboxed environments linked to a user’s code repository and can execute multiple tasks in parallel. OpenAI offers Codex through ChatGPT’s web interface, a command-line interface (CLI), and IDE extensions for VS Code, Cursor, and Windsurf.

Read full article

Comments

© Mininyx Doodle via Getty Images

As they work to fend off the rapidly expanding number of attempts by threat actors to exploit the dangerous React2Shell vulnerability, security teams are learning of two new flaws in React Server Components that could lead to denial-of-service attacks or the exposure of source code.

The post React Fixes Two New RSC Flaws as Security Teams Deal with React2Shell appeared first on Security Boulevard.

Microsoft Corp. has announced a major update to its bug bounty program, extending coverage to include any vulnerability affecting its online services. This new framework, referred to as “In Scope By Default,” is an important shift in how the tech giant approaches coordinated vulnerability disclosure.  Under this updated model, every Microsoft online service is automatically eligible for bounty awards from the moment it launches. Previously, the company relied on product-specific scope definitions, which often caused confusion for security researchers and limited the range of vulnerabilities eligible for rewards. By making all services In Scope By Default, Microsoft aims to make participation in the bug bounty program more predictable while ensuring critical vulnerabilities are addressed and incentivized regardless of their origin.  A key feature of the expanded scope is its coverage of third-party and open-source components integrated into Microsoft services. This means that vulnerabilities in external libraries, dependencies, or open-source packages that power Microsoft’s cloud infrastructure are now eligible for bug bounty rewards, not just flaws in Microsoft’s own software. 

A Strategic Shift in Bug Bounty Security Incentives 

Tom Gallagher, vice president of engineering at the Microsoft Security Response Center (MSRC), highlighted the significance of the change in a December 11, 2025, blog post. He described it as more than an administrative adjustment, calling it a structural realignment designed to reflect real-world risk. Gallagher explained that by defaulting all services into scope, Microsoft hopes to reduce reporting delays, minimize confusion, and allow researchers to focus on vulnerabilities with meaningful impact on customers.  “If Microsoft’s online services are impacted by vulnerabilities in third-party code, including open source, we want to know,” Gallagher stated. “If no bounty award formerly exists to reward this vital work, we will offer one. This closes the gap for security research and raises the security bar for everyone who relies on this code.”  The new policy also allows Microsoft to collaborate more effectively with researchers on upstream or third-party vulnerabilities. The company can now assist with developing fixes or support maintainers when issues in external codebases directly affect Microsoft services. 

Industry Reaction and Expected Impact 

All new Microsoft online services now fall under bug bounty coverage from day one, while millions of existing endpoints no longer require manual approval to qualify. The update is designed to make it easier for security professionals to identify and report vulnerabilities across Microsoft’s expansive ecosystem.  The new approach aligns with Microsoft’s broader security philosophy in an AI- and cloud-first environment, where attackers exploit any weak link, regardless of ownership. According to Gallagher, “Security vulnerabilities often emerge at the seams where components interact or where dependencies are involved. We value research that takes this broader perspective, encompassing not only Microsoft infrastructure but also third-party dependencies, including commercial software and open-source components.”  Last year, Microsoft’s bug bounty program and its Zero Day Quest live-hacking event awarded over $17 million to researchers for high-impact discoveries. With the In Scope By Default initiative, the company expects to expand eligibility even further, particularly in areas involving Microsoft-owned domains, cloud services, and third-party or open-source code.  Researchers participating in the program are expected to follow Microsoft’s Rules of Engagement for Responsible Security Research, ensuring customer privacy and data protection while enabling coordinated vulnerability disclosure. By widening its bug bounty scope, Microsoft aims to raise the overall security bar. 

Overview On December 10, NSFOCUS CERT detected that Microsoft released the December Security Update patch, which fixed 57 security issues involving widely used products such as Windows, Microsoft Office, Microsoft Exchange Server, Azure, etc., including high-risk vulnerability types such as privilege escalation and remote code execution. Among the vulnerabilities fixed by Microsoft’s monthly update this […]

The post Microsoft’s December Security Update of High-Risk Vulnerability Notice for Multiple Products appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

The post Microsoft’s December Security Update of High-Risk Vulnerability Notice for Multiple Products appeared first on Security Boulevard.

On Tuesday, French AI startup Mistral AI released Devstral 2, a 123 billion parameter open-weights coding model designed to work as part of an autonomous software engineering agent. The model achieves a 72.2 percent score on SWE-bench Verified, a benchmark that attempts to test whether AI systems can solve real GitHub issues, putting it among the top-performing open-weights models.

Perhaps more notably, Mistral didn’t just release an AI model, it released a new development app called Mistral Vibe. It’s a command line interface (CLI) similar to Claude Code, OpenAI Codex, and Gemini CLI that lets developers interact with the Devstral models directly in their terminal. The tool can scan file structures and Git status to maintain context across an entire project, make changes across multiple files, and execute shell commands autonomously. Mistral released the CLI under the Apache 2.0 license.

It’s always wise to take AI benchmarks with a large grain of salt, but we’ve heard from employees of the big AI companies that they pay very close attention to how well models do on SWE-bench Verified, which presents AI models with 500 real software engineering problems pulled from GitHub issues in popular Python repositories. The AI must read the issue description, navigate the codebase, and generate a working patch that passes unit tests. While some AI researchers have noted that around 90 percent of the tasks in the benchmark test relatively simple bug fixes that experienced engineers could complete in under an hour, it’s one of the few standardized ways to compare coding models.

Read full article

Comments

© Mistral / Benj Edwards

OpenAI, alongside Anthropic and Block, have launched the Agentic AI Foundation under the Linux Foundation, describing it as a neutral home for standards as agentic systems move into real production. It may sound well-meaning, but Slashdot reader and NERDS.xyz founder BrianFagioli isn't buying the narrative. In a report for NERDS.xyz, Fagioli writes: Instead of opening models, training data, or anything that would meaningfully shift power toward the community, the companies involved are donating lightweight artifacts like AGENTS.md, MCP, and goose. They're useful, but they're also the safest, least threatening pieces of their ecosystem to "open." From where I sit, it looks like a strategic attempt to lock in influence over emerging standards before truly open projects get a chance to define the space. I see the entire move as smoke and mirrors. With regulators paying closer attention and developer trust slipping, creating a Linux Foundation directed fund gives these companies convenient cover to say they're being transparent and collaborative. But nothing about this structure forces them to share anything substantial, and nothing about it changes the closed nature of their core technology. To me, it looks like Big Tech trying to set the rules of the game early, using the language of openness without actually embracing it. Slashdot readers have seen this pattern before, and this one feels no different.

Read more of this story at Slashdot.

Near the end of the film A House of Dynamite, a fictional American president portrayed by Idris Elba sums up the theory of nuclear deterrence.

“Just being ready is the point, right?” Elba says. “It keeps people in check. Keeps the world straight. If they see how prepared we are, no one starts a nuclear war.”

There’s a lot that goes wrong in the film, namely the collapse of deterrence itself. For more than 60 years, the US military has used its vast arsenal of nuclear weapons, constantly deployed on Navy submarines, at Air Force bomber bases, and in Minuteman missile fields, as a way of saying, “Don’t mess with us.” In the event of a first strike against the United States, an adversary would be assured of an overwhelming nuclear response, giving rise to the concept of mutual assured destruction.

Read full article

Comments

© US Air Force/Senior Airman Clayton Wear

A critical React2Shell (CVE-2025-55182) RCE flaw in React and Next.js is being actively exploited by China-nexus threat groups, prompting urgent patching and global mitigations.

The post Cloudflare Forces Widespread Outage to Mitigate Exploitation of Maximum Severity Vulnerability in React2Shell  appeared first on Security Boulevard.

It runs locally, a free/open source home automation platform connecting all your devices together, regardless of brand. And GitHub's senior developer calls it "one of the most active, culturally important, and technically demanding open source ecosystems on the planet," with tens of thousands of contributors and millions of installations. That's confirmed by this year's "Octoverse" developer survey... Home Assistant was one of the fastest-growing open source projects by contributors, ranking alongside AI infrastructure giants like vLLM, Ollama, and Transformers. It also appeared in the top projects attracting first-time contributors, sitting beside massive developer platforms such as VS Code... Home Assistant is now running in more than 2 million households, orchestrating everything from thermostats and door locks to motion sensors and lighting. All on users' own hardware, not the cloud. The contributor base behind that growth is just as remarkable: 21,000 contributors in a single year... At its core, Home Assistant's problem is combinatorial explosion. The platform supports "hundreds, thousands of devices... over 3,000 brands," as [maintainer Franck Nijhof] notes. Each one behaves differently, and the only way to normalize them is to build a general-purpose abstraction layer that can survive vendor churn, bad APIs, and inconsistent firmware. Instead of treating devices as isolated objects behind cloud accounts, everything is represented locally as entities with states and events. A garage door is not just a vendor-specific API; it's a structured device that exposes capabilities to the automation engine. A thermostat is not a cloud endpoint; it's a sensor/actuator pair with metadata that can be reasoned about. That consistency is why people can build wildly advanced automations. Frenck describes one particularly inventive example: "Some people install weight sensors into their couches so they actually know if you're sitting down or standing up again. You're watching a movie, you stand up, and it will pause and then turn on the lights a bit brighter so you can actually see when you get your drink. You get back, sit down, the lights dim, and the movie continues." A system that can orchestrate these interactions is fundamentally a distributed event-driven runtime for physical spaces. Home Assistant may look like a dashboard, but under the hood it behaves more like a real-time OS for the home... The local-first architecture means Home Assistant can run on hardware as small as a Raspberry Pi but must handle workloads that commercial systems offload to the cloud: device discovery, event dispatch, state persistence, automation scheduling, voice pipeline inference (if local), real-time sensor reading, integration updates, and security constraints. This architecture forces optimizations few consumer systems attempt. "If any of this were offloaded to a vendor cloud, the system would be easier to build," the article points out. "But Home Assistant's philosophy reverses the paradigm: the home is the data center..." As Nijhof says of other vendor solutions, "It's crazy that we need the internet nowadays to change your thermostat."

Read more of this story at Slashdot.

"Homebrew, the package manager for macOS and Linux, just got a handy new feature in the latest v5.0.4 update," reports How-To Geek. Brewfile install scripts "are now more like a one-stop shop for installing software, as Flatpaks are now supported alongside Brew packages, Mac App Store Apps, and other packages." For those times when you need to install many software packages at once, like when setting up a new PC or virtual machine, you can create a Brewfile with a list of packages and run it with the 'brew bundle' command. However, the Brewfile isn't limited to just Homebrew packages. You can also use it to install Mac App Store apps, graphical apps through Casks, Visual Studio Code extensions, and Go language packages. Starting with this week's Homebrew v5.0.4 release, Flatpaks are now supported in Brewfiles as well... This turns Homebrew into a fantastic setup tool for macOS, Linux, and Windows Subsystem for Linux (WSL) environments. You can have one script with all your preferred software, and use 'if' statements with platform variables and existing file checks for added portability.

Read more of this story at Slashdot.

An anonymous reader quotes a report from The Verge's Sean Hollister If you wrote off the Steam Frame as yet another VR headset few will want to wear, I guarantee you're not alone. But the Steam Frame isn't just a headset; it's a Trojan horse that contains the tech gamers need to play Steam games on the next Samsung Galaxy, the next Google Pixel, perhaps Arm gaming notebooks to come. I know, because I'm already using that tech on my Samsung Galaxy. There is no official Android version of Hollow Knight: Silksong, one of the best games of 2025, but that doesn't have to stop you anymore. Thanks to a stack of open-source technologies, including a compatibility layer called Proton and an emulator called Fex, games that were developed for x86-based Windows PCs can now run on Linux-based phones with the Arm processor architecture. With Proton, the Steam Deck could already do the Windows-to-Linux part; now, Fex is bridging x86 and Arm, too. This stack is what powers the Steam Frame's own ability to play Windows games, of course, and it was widely reported that Valve is using the open-source Fex emulator to make it happen. What wasn't widely reported: Valve is behind Fex itself. In an interview, Valve's Pierre-Loup Griffais, one of the architects behind SteamOS and the Steam Deck, tells The Verge that Valve has been quietly funding almost all the open-source technologies required to play Windows games on Arm. And because they're open-source, Valve is effectively shepherding a future where Arm phones, laptops, and desktops could freely do the same. He says the company believes game developers shouldn't be wasting time porting games if there's a better way. Remember when the Steam Deck handheld showed that a decade of investment in Linux could make Windows gaming portable? Valve paid open-source developers to follow their passions to help achieve that result. Valve has been guiding the effort to bring games to Arm in much the same way: In 2016 and 2017, Griffais tells me, the company began recruiting and funding open-source developers to bring Windows games to Arm chips. Fex lead developer Ryan Houdek tells The Verge he chatted with Griffais himself at conferences those years and whipped up the first prototype in 2018. He tells me Valve pays enough that Fex is his full-time job. "I want to thank the people from Valve for being here from the start and allowing me to kickstart this project," he recently wrote.

Read more of this story at Slashdot.

The president withdrew Jared Isaacman’s nomination to lead the space agency in June, but senators of both parties appeared willing to give him a second shot at confirmation.

© Tierney L. Cross/The New York Times

During last month's KubeCon North America in Atlanta, Kubernetes maintainers announced the upcoming retirement of Ingress NGINX. "Best-effort maintenance will continue until March 2026," noted the Kubernetes SIG Network and the Security Response Committee. "Afterward, there will be no further releases, no bugfixes, and no updates to resolve any security vulnerabilities that may be discovered." In a recent op-ed for The Register, Steven J. Vaughan-Nichols reflects on the decision and speculates about what might have prevented this outcome: Ingress NGINX, for those who don't know it, is an ingress controller in Kubernetes clusters that manages and routes external HTTP and HTTPS traffic to the cluster's internal services based on configurable Ingress rules. It acts as a reverse proxy, ensuring that requests from clients outside the cluster are forwarded to the correct backend services within the cluster according to path, domain, and TLS configuration. As such, it's vital for network traffic management and load balancing. You know, the important stuff. Now this longstanding project, once celebrated for its flexibility and breadth of features, will soon be "abandonware." So what? After all, it won't be the first time a once-popular program shuffled off the stage. Off the top of my head, dBase, Lotus 1-2-3, and VisiCalc spring to my mind. What's different is that there are still thousands of Ingress NGINX controllers in use. Why is it being put down, then, if it's so popular? Well, there is a good reason. As Tabitha Sable, a staff engineer at Datadog who is also co-chair of the Kubernetes special interest group for security, pointed out: "Ingress NGINX has always struggled with insufficient or barely sufficient maintainership. For years, the project has had only one or two people doing development work, on their own time, after work hours, and on weekends. Last year, the Ingress NGINX maintainers announced their plans to wind down Ingress NGINX and develop a replacement controller together with the Gateway API community. Unfortunately, even that announcement failed to generate additional interest in helping maintain Ingress NGINX or develop InGate to replace it." [...] The final nail in the coffin was when security company Wix found a killer Ingress NGINX security hole. How bad was it? Wix declared: "Exploiting this flaw allows an attacker to execute arbitrary code and access all cluster secrets across namespaces, which could lead to complete cluster takeover." [...] You see, the real problem isn't that Ingress NGINX has a major security problem. Heck, hardly a month goes by without another stop-the-presses Windows bug being uncovered. No, the real issue is that here we have yet another example of a mission-critical open source program no one pays to support...

Read more of this story at Slashdot.

Several new start-ups are building replicas of sites so A.I. can learn to use the internet and maybe replace white-collar workers.

Several new start-ups are building replicas of sites so A.I. can learn to use the internet and maybe replace white-collar workers.

Kingston residents should keep their eyes to the sky on Dec. 1 as a CH-146 Griffon helicopter from 1 Wing flies over the city. Read More

Around this time last year, officials at United Launch Alliance projected 2025 would be their busiest year ever. Tory Bruno, ULA’s chief executive, told reporters the company would launch as many as 20 missions this year, with roughly an even split between the legacy Atlas V launcher and its replacement—the Vulcan rocket.

Now, it’s likely that ULA will close out 2025 with six flights—five with the Atlas V and just one with the Vulcan rocket the company is so eager to accelerate into service. Six flights would make 2025 the busiest launch year for ULA since 2022, but it would still fall well short of the company’s forecast.

Last week, ULA announced its next launch is scheduled for December 15. An Atlas V will loft another batch of broadband satellites for the Amazon Leo network, formerly known as Project Kuiper, from Cape Canaveral Space Force Station, Florida. This will be ULA’s last launch of the year.

Read full article

Comments

© United Launch Alliance

New tools and features from retailers and tech companies use artificial intelligence to help people find gifts and make decisions about their shopping lists.

© Janet Mac

The commander of the military unit responsible for running the Cape Canaveral spaceport in Florida expects SpaceX to begin launching Starship rockets there next year.

Launch companies with facilities near SpaceX’s Starship pads are not pleased. SpaceX’s two chief rivals, Blue Origin and United Launch Alliance, complained last year that SpaceX’s proposal of launching as many as 120 Starships per year from Florida’s Space Coast could force them to routinely clear personnel from their launch pads for safety reasons.

This isn’t the first time Blue Origin and ULA have tried to throw up roadblocks in front of SpaceX. The companies sought to prevent NASA from leasing a disused launch pad to SpaceX in 2013, but they lost the fight.

Read full article

Comments

© SpaceX

Core Devices has fully open-sourced the entire Pebble software stack and confirmed the first Pebble Time 2 shipments will start in January. "This is the clearest sign yet that the platform is shifting from a company-led product to a community-backed project that can survive independently," reports Gadgets & Wearables. From the report: The announcement follows weeks of tension between Core Devices and parts of the Pebble community. By moving from 95 to 100 percent open source, the company has essentially removed itself as a bottleneck. Users can now build, run, and maintain every piece of software needed to operate a Pebble watch. That includes firmware for the watch and mobile apps for Android and iOS. This puts the entire software stack into public hands. According to the announcement, Core Devices has released the mobile app source code, enabled decentralized app distribution, and made hardware more repairable with replaceable batteries and published design files.

Read more of this story at Slashdot.

Salesforce has issued a new update on the ongoing Salesforce Gainsight security incident, confirming additional details about the unusual activity detected across Gainsight-published applications connected to the CRM platform. The company reiterated that the incident stemmed from the app’s external integration with Salesforce rather than any vulnerability in the Salesforce core platform.

Salesforce Confirms Expanded Investigation

In its latest advisory, Salesforce stated that the unusual activity affecting Gainsight applications may have enabled unauthorized access to certain customers' Salesforce data through the app-to-Salesforce connection. As part of its precautionary measures, Salesforce revoked all active access and refresh OAuth tokens associated with Gainsight-published applications and removed the apps from its AppExchange. While initial communication referenced only three affected customers, Salesforce confirmed on November 21 that the list has expanded, and all newly identified impacted customers have been notified directly. Salesforce emphasized that a broader investigation is underway and continues to provide updates on its official Help portal. [caption id="attachment_107067" align="aligncenter" width="895"] Source: Salesforce[/caption]

Gainsight Products and Connectors Temporarily Impacted

According to Gainsight’s latest communication, several of its products, including Gainsight CS, Community (CC), Northpass (CE), Skilljar (SJ), and Staircase (ST), have been affected by Salesforce’s precautionary disconnection. Although the products remain operational, they are currently unable to read or write data to Salesforce. In addition, several third-party connectors integrated with Gainsight, such as Gong.io, Zendesk, and HubSpot, have been temporarily disabled by their respective vendors out of an abundance of caution. Gainsight urged customers to rotate their S3 keys if they have not done so since November 20, 2025, as part of the secure log retrieval process.

No Indication of Salesforce Platform Vulnerability

Salesforce reiterated that there is no evidence suggesting the issue originated from a flaw within the Salesforce platform itself. Instead, the activity appears tied to the external OAuth-based connection between Gainsight applications and Salesforce environments. Crucially, Salesforce confirmed that while the OAuth tokens have been revoked, historical audit trails and logs remain intact, enabling full customer-led investigation efforts. The company also strongly encouraged customers to conduct thorough log reviews using Setup Audit Trail, Event Monitoring logs, and API activity records. Salesforce referenced the Salesforce Log Analysis Guide to support customers in assessing potential compromise indicators.

Indicators of Compromise Published

As part of its transparency efforts, Salesforce shared a list of Indicators of Compromise (IOCs) associated with the threat activity. These include several user agents—such as python-requests/2.32.3 and Salesforce-Multi-Org-Fetcher/1.0—and dozens of IP addresses linked to suspicious access attempts. Gainsight echoed Salesforce’s recommendations and is conducting its own forensic review with support from independent investigators. Both organizations confirmed that the Salesforce Gainsight security incident remains under active investigation. Gainsight has published a detailed timeline and continues to coordinate with Salesforce to determine the full impact. Customers seeking assistance have been directed to Salesforce Help and Gainsight Support for further updates.

Thunderbird Pro has moved its Thundermail email service into production testing as the open-source email client's subscription bundle of additional services prepares for an Early Bird beta launch at $9 per month that will include email hosting, encrypted file sharing through Send, and scheduling via Appointment. Internal team members are now testing Thundermail accounts and the new Thunderbird Pro add-on automatically adds Thundermail accounts for users who sign up through it. The project migrated its data hosting from the Americas to Germany and the EU. Appointment received a major visual redesign being applied across all three services while Send completed an external security review and moved from its standalone add-on into the unified Thunderbird Pro add-on. The new website at tb.pro is live for signups and account management.

Read more of this story at Slashdot.

Microsoft has released the source code for Zork I, II, and III under the MIT License through a collaboration with Team Xbox and Activision that involved submitting pull requests to historical source repositories maintained by digital archivist Jason Scott. Each repository now includes the original source code and accompanying documentation. The games arrived on early home computers in the 1980s as text-based adventures built on the Z-Machine, a virtual machine that allowed the same story files to run across different platforms. Infocom created the Z-Machine after discovering the original mainframe version was too large for home computers. The team split the game into three titles that all ran on the same underlying system. The code release covers only the source files and does not include commercial packaging or trademark rights. The games remain available commercially through The Zork Anthology on Good Old Games and can be compiled locally using ZILF, a modern Z-Machine interpreter.

Read more of this story at Slashdot.

Salesforce is investigating potential unauthorized access to customers’ Salesforce data that may have occurred through the Gainsight customer success platform. “Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” Salesforce said in an advisory today. The Salesforce advisory was short on detail, but the incident appears to share similarities with a recent OAuth-based breach of the Salesloft Drift platform that compromised the Salesforce environments of dozens, if not hundreds, of organizations. That breach was linked to the Scattered LAPSUS$ Hunters threat group. In an email exchange with The Cyber Express, Scattered LAPSUS$ Hunters also claimed responsibility for the current Gainsight incident. “Yes, we are responsible for it,” the group told The Cyber Express. “Nearly 300 organisations are affected by it.” The group named four large organizations allegedly hit in the latest incident, but it is The Cyber Express’ policy not to name unconfirmed cyberattack victims.

Salesforce Detects ‘Unusual Activity’ Involving Gainsight App

Salesforce said in the advisory that it has identified “unusual activity involving Gainsight-published applications connected to Salesforce.” Those apps are installed and managed directly by customers. “Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” the CRM vendor said. “Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues.” Salesforce said there is “no indication” that the incident resulted from a vulnerability in the Salesforce platform. “The activity appears to be related to the app’s external connection to Salesforce,” the company said. Salesforce said it has notified known affected customers directly and will continue to provide updates. The CRM vendor said customers who need assistance can reach the company through Salesforce Help.

Salesloft Drift Breach Affected Gainsight Too

It will be some time before the extent of the current incident is known, but the Salesloft Drift incident affected the CRM environments of scores of well-known companies, among them Google, Cloudflare, Palo Alto Networks, and many more prominent names. The Scattered LAPSUS$ threat group launched social engineering attacks on Salesforce environments too. Scattered LAPSUS$ Hunters claims 760 organizations were hit in the Salesloft Drift incident, one of which was Gainsight’s own Salesforce environment. The Cyber Express has reached out to Gainsight for comment and will update this story as new information emerges.

A little more than a century ago, the US Army Air Service came up with a scheme for naming the military’s multiplying fleet of airplanes.

The 1924 aircraft designation code produced memorable names like the B-17, A-26, B-29, and P-51—B for bomber, A for attack, and P for pursuit—during World War II. The military later changed the prefix for pursuit aircraft to F for fighter, leading to recognizable modern names like the F-15 and F-16.

Now, the newest branch of the military is carving its own path with a new document outlining how the Space Force, which can trace its lineage back to the Army Air Service, will name and designate its “weapon systems” on the ground and in orbit. Ars obtained a copy of the document, first written in 2023 and amended in 2024.

Read full article

Comments

© York Space Systems

Every year, Black Friday drives a surge of online purchases—but it also opens the floodgates for fraud. While most conversations focus on phishing emails or sketchy websites, the real cybersecurity frontline for e-commerce lies behind the scenes: mobile apps. Developers, not consumers, hold the power to stop many of these attacks—but only if they understand how today’s fraudsters exploit mobile APIs.

The post Black Friday Fraud: The Hidden Threat in Mobile Commerce appeared first on Security Boulevard.

Overview On November 12, NSFOCUS CERT detected that Microsoft released the November Security Update patch, which fixed 63 security issues involving widely used products such as Windows, Microsoft Office, Microsoft SQL Server, Azure, and Microsoft Visual Studio, including privilege escalation, high-risk vulnerability types such as remote code execution. Among the vulnerabilities fixed by Microsoft’s monthly […]

The post Microsoft’s November Security Update of High-Risk Vulnerability Notice for Multiple Products appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

The post Microsoft’s November Security Update of High-Risk Vulnerability Notice for Multiple Products appeared first on Security Boulevard.

AI agents are reshaping online retail. Discover why bot management is essential infrastructure to control agentic commerce and drive growth.

The post From Bots to Buyers: With Agentic AI, Bot Management Becomes Core Infrastructure appeared first on Security Boulevard.

Open source components form the backbone of innovation, but they also introduce significant security risks.

The post Stop Open Source Malware at the Gate with Repository Firewall appeared first on Security Boulevard.

The U.S. government is reportedly preparing to ban the sale of wireless routers and other networking gear from TP-Link Systems, a tech company that currently enjoys an estimated 50% market share among home users and small businesses. Experts say while the proposed ban may have more to do with TP-Link’s ties to China than any specific technical threats, much of the rest of the industry serving this market also sources hardware from China and ships products that are insecure fresh out of the box.

The Washington Post recently reported that more than a half-dozen federal departments and agencies were backing a proposed ban on future sales of TP-Link devices in the United States. The story said U.S. Department of Commerce officials concluded TP-Link Systems products pose a risk because the U.S.-based company’s products handle sensitive American data and because the officials believe it remains subject to jurisdiction or influence by the Chinese government.

TP-Link Systems denies that, saying that it fully split from the Chinese TP-Link Technologies over the past three years, and that its critics have vastly overstated the company’s market share (TP-Link puts it at around 30 percent). TP-Link says it has headquarters in California, with a branch in Singapore, and that it manufactures in Vietnam. The company says it researches, designs, develops and manufactures everything except its chipsets in-house.

TP-Link Systems told The Post it has sole ownership of some engineering, design and manufacturing capabilities in China that were once part of China-based TP-Link Technologies, and that it operates them without Chinese government supervision.

“TP-Link vigorously disputes any allegation that its products present national security risks to the United States,” Ricca Silverio, a spokeswoman for TP-Link Systems, said in a statement. “TP-Link is a U.S. company committed to supplying high-quality and secure products to the U.S. market and beyond.”

Cost is a big reason TP-Link devices are so prevalent in the consumer and small business market: As this February 2025 story from Wired observed regarding the proposed ban, TP-Link has long had a reputation for flooding the market with devices that are considerably cheaper than comparable models from other vendors. That price point (and consistently excellent performance ratings) has made TP-Link a favorite among Internet service providers (ISPs) that provide routers to their customers.

In August 2024, the chairman and the ranking member of the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party called for an investigation into TP-Link devices, which they said were found on U.S. military bases and for sale at exchanges that sell them to members of the military and their families.

“TP-Link’s unusual degree of vulnerabilities and required compliance with PRC law are in and of themselves disconcerting,” the House lawmakers warned in a letter (PDF) to the director of the Commerce Department. “When combined with the PRC government’s common use of SOHO [small office/home office] routers like TP-Link to perpetrate extensive cyberattacks in the United States, it becomes significantly alarming.”

The letter cited a May 2023 blog post by Check Point Research about a Chinese state-sponsored hacking group dubbed “Camaro Dragon” that used a malicious firmware implant for some TP-Link routers to carry out a sequence of targeted cyberattacks against European foreign affairs entities. Check Point said while it only found the malicious firmware on TP-Link devices, “the firmware-agnostic nature of the implanted components indicates that a wide range of devices and vendors may be at risk.”

In a report published in October 2024, Microsoft said it was tracking a network of compromised TP-Link small office and home office routers that has been abused by multiple distinct Chinese state-sponsored hacking groups since 2021. Microsoft found the hacker groups were leveraging the compromised TP-Link systems to conduct “password spraying” attacks against Microsoft accounts. Password spraying involves rapidly attempting to access a large number of accounts (usernames/email addresses) with a relatively small number of commonly used passwords.

TP-Link rightly points out that most of its competitors likewise source components from China. The company also correctly notes that advanced persistent threat (APT) groups from China and other nations have leveraged vulnerabilities in products from their competitors, such as Cisco and Netgear.

But that may be cold comfort for TP-Link customers who are now wondering if it’s smart to continue using these products, or whether it makes sense to buy more costly networking gear that might only be marginally less vulnerable to compromise.

Almost without exception, the hardware and software that ships with most consumer-grade routers includes a number of default settings that need to be changed before the devices can be safely connected to the Internet. For example, bring a new router online without changing the default username and password and chances are it will only take a few minutes before it is probed and possibly compromised by some type of Internet-of-Things botnet. Also, it is incredibly common for the firmware in a brand new router to be dangerously out of date by the time it is purchased and unboxed.

Until quite recently, the idea that router manufacturers should make it easier for their customers to use these products safely was something of an anathema to this industry. Consumers were largely left to figure that out on their own, with predictably disastrous results.

But over the past few years, many manufacturers of popular consumer routers have begun forcing users to perform basic hygiene — such as changing the default password and updating the internal firmware — before the devices can be used as a router. For example, most brands of “mesh” wireless routers — like Amazon’s Eero, Netgear’s Orbi series, or Asus’s ZenWifi — require online registration that automates these critical steps going forward (or at least through their stated support lifecycle).

For better or worse, less expensive, traditional consumer routers like those from Belkin and Linksys also now automate this setup by heavily steering customers toward installing a mobile app to complete the installation (this often comes as a shock to people more accustomed to manually configuring a router). Still, these products tend to put the onus on users to check for and install available updates periodically. Also, they’re often powered by underwhelming or else bloated firmware, and a dearth of configurable options.

Of course, not everyone wants to fiddle with mobile apps or is comfortable with registering their router so that it can be managed or monitored remotely in the cloud. For those hands-on folks — and for power users seeking more advanced router features like VPNs, ad blockers and network monitoring — the best advice is to check if your router’s stock firmware can be replaced with open-source alternatives, such as OpenWrt or DD-WRT.

These open-source firmware options are compatible with a wide range of devices, and they generally offer more features and configurability. Open-source firmware can even help extend the life of routers years after the vendor stops supporting the underlying hardware, but it still requires users to manually check for and install any available updates.

Happily, TP-Link users spooked by the proposed ban may have an alternative to outright junking these devices, as many TP-Link routers also support open-source firmware options like OpenWRT. While this approach may not eliminate any potential hardware-specific security flaws, it could serve as an effective hedge against more common vendor-specific vulnerabilities, such as undocumented user accounts, hard-coded credentials, and weaknesses that allow attackers to bypass authentication.

Regardless of the brand, if your router is more than four or five years old it may be worth upgrading for performance reasons alone — particularly if your home or office is primarily accessing the Internet through WiFi.

NB: The Post’s story notes that a substantial portion of TP-Link routers and those of its competitors are purchased or leased through ISPs. In these cases, the devices are typically managed and updated remotely by your ISP, and equipped with custom profiles responsible for authenticating your device to the ISP’s network. If this describes your setup, please do not attempt to modify or replace these devices without first consulting with your Internet provider.

Twilio acquiring Stytch signals a major shift in developer CIAM. I've analyzed 20+ platforms—from Descope to Keyclock—to show you which deliver on Auth0's promise without the lock-in. OpenID standards, AI agent auth, and what actually matters when choosing your identity platform.

The post The Twilio-Stytch Acquisition: A Watershed Moment for Developer-First CIAM appeared first on Security Boulevard.

After unexpectedly strong sales and profits across its consumer and cloud businesses, the tech giant said another strong quarter might be ahead.

© AJ Mast for The New York Times

OpenAI on Thursday launched Aardvark, an artificial intelligence (AI) agent designed to autonomously detect and help fix security vulnerabilities in software code, offering defenders a potentially valuable tool against malicious hackers. The GPT-5-powered tool, currently in private beta, represents what OpenAI calls a “defender-first model” that continuously monitors code repositories to identify vulnerabilities as software..

The post OpenAI’s Aardvark is an AI Security Agent Combating Code Vulnerabilities appeared first on Security Boulevard.

The company is looking to slash costs by “reducing bureaucracy, removing layers, and shifting resources” as it continues to spend aggressively on artificial intelligence.

© Karsten Moran for The New York Times

Microsoft has released an urgent out-of-band security update to address a severe remote code execution (RCE) vulnerability in Windows Server Update Services (WSUS). The flaw, tracked as CVE-2025-59287, poses a direct risk to organizations that utilize WSUS to manage Windows updates across their IT infrastructure. 

Overview of the CVE-2025-59287 Vulnerability 

The vulnerability, identified as a case of CWE-502: Deserialization of Untrusted Data, occurs when WSUS improperly deserializes untrusted objects. A remote, unauthenticated attacker could exploit this flaw by sending a specially crafted request to the WSUS service.  Because WSUS commonly runs under the SYSTEM account, successful exploitation would allow the attacker to execute arbitrary code with the highest privileges, effectively gaining full control of the targeted system.  Microsoft has rated the flaw as Critical with a CVSS 3.1 base score of 9.8. The attack vector is network-based, requires no authentication or user interaction, and has low complexity. The vulnerability’s scope, confidentiality, integrity, and availability impacts are all classified as high. Microsoft has also assessed exploitation as “More Likely,” increasing the urgency for administrators to patch affected systems immediately. 

Affected Versions 

The RCE vulnerability affects several supported editions of Windows Server, including: 

• Windows Server 2012 and 2012 R2 
• Windows Server 2016 
• Windows Server 2019 
• Windows Server 2022 (including the 23H2 Server Core edition) 
• Windows Server 2025 

By default, the WSUS server role is not enabled on Windows Server installations. However, once enabled, unpatched servers become vulnerable to exploitation. Microsoft emphasizes that servers without the WSUS role activated are not affected by CVE-2025-59287. 

Timeline of Discovery and Patching 

The vulnerability was first disclosed on October 14, 2025, with Microsoft formally registering it under the identifier CVE-2025-59287. Following the discovery, Microsoft released an out-of-band update on October 23, 2025, after confirming the existence of publicly available proof-of-concept (PoC) exploit code. This prompted an update to the CVSS temporal score to reflect the increased maturity of the exploit.  The update is available through multiple channels, including Windows Update, Microsoft Update, and Microsoft Update Catalog. Systems configured to automatically receive updates will download and install the patch without manual intervention. A system reboot is required after applying the update. 

Mitigation and Workarounds

For organizations unable to immediately install the October 23, 2025, patch, Microsoft has provided several temporary mitigations: 

• Disable the WSUS Server Role: Doing so prevents exploitation but also halts update delivery to clients. 
• Block Inbound Traffic: Administrators can block ports 8530 and 8531 on the host firewall to render WSUS non-operational and mitigate the risk of attack. 

Microsoft warns that these workarounds should remain in place until the official patch is successfully applied. Reverting them before updating could leave systems exposed to potential exploitation. 

Exploitability and Risk 

At the time of release, Microsoft reported no evidence of active exploitation or public disclosure beyond the proof-of-concept code. However, a successful compromise of a WSUS server could allow attackers to distribute malicious updates throughout an organization’s network, manipulate system configurations, or pivot deeper into internal environments.  CVE-2025-59287 was reported by Markus Wulftange of CODE WHITE GmbH, with Microsoft acknowledging his contribution to identifying and responsibly disclosing the issue.  The ability for an unauthenticated attacker to achieve RCE over a network, without user interaction, elevates this vulnerability to a critical priority. Organizations relying on WSUS should verify that the October 23, 2025, update has been applied across all affected systems. Until fully patched, any unprotected WSUS installation remains at risk of compromise.  

Six weeks after Adobe shipped an emergency fix, attackers have begun weaponizing SessionReaper — and most Magento stores still stand exposed.

Security firm Sansec’s forensics team said it blocked hundreds of real-world exploitation attempts of the SessionReaper bug as proof-of-concept code and a technical write-up circulated publicly. For those who still have not patched this bug, Its a critical warning that widespread abuse would follow.

What is SessionReaper Bug

SessionReaper (CVE-2025-54236) is an unauthenticated, remote-code-execution flaw in Adobe Commerce / Magento that stems from nested deserialization in admin-facing functionality. Assetnote published the technical analysis that demonstrated how an attacker could craft requests to trigger object deserialization and run arbitrary PHP — a straight path to web shells and full shop takeover. With exploit details now public, Sansec researchers said the window for safe patching had effectively closed.

Sansec researchers reported that only 38% of Magento stores had applied Adobe’s patch six weeks after disclosure, leaving roughly 62% vulnerable to automated scans and commodity exploit tooling. They also confirmed of blocking more than 250 exploitation attempts in a single day and observed initial payloads that delivered PHP webshells or phpinfo probes. The company published an initial set of attacker source IPs to help defenders triage incoming traffic.

Also read: Adobe Issues Urgent Patch for ‘SessionReaper’ Vulnerability in Commerce and Magento

Attackers Exploited Familiar eCommerce Playbook

Researchers said the flow of the attack is not novel and has been observed earlier. The attackers scanned the web for reachable admin consoles, sent crafted HTTP requests to the vulnerable endpoint and dropped webshells to persist and pivot.

Sansec compared SessionReaper’s potential impact to previous mass-compromise flaws such as Shoplift (2015) and CosmicSting (2024), both of which spawned waves of site-wide infections and payment-card skimming campaigns. With automated exploit scanners and proof-of-concept code circulating, researchers expect mass compromise within hours of public analysis.

The defensive checklist that the researchers suggested remains simple but urgent. They urged store owners to deploy the vendor patch or upgrade to the latest security release immediately; to activate a web application firewall (WAF) if they cannot patch right away; and to run a thorough compromise scan for indicators such as unexpected PHP webshells, new files in webroot and suspicious scheduled tasks. They also advised searching logs for the IPs it observed to identify probing activity.

The warning held particular weight because of the way ecommerce platforms amplify risk. Magento and Adobe Commerce sit at the intersection of payments, customer PII and third-party plugins. A single compromised admin console can let an attacker replace checkout pages, inject payment skimmers, and harvest credit-card data at scale. Attackers historically monetized these compromises rapidly, either by installing Magecart skimmers or building backend access for long-running fraud operations. Sansec’s timeline explicitly linked SessionReaper to that same class of high-impact supply-chain abuse.

The SessionReaper episode offered two broader lessons. First, critical-path fixes for internet-facing infrastructure must move faster than the adversary’s ability to automate; Adobe’s patch arrived, but adoption lagged dangerously. Second, ecommerce operators needed layered controls. Patching alone would stop exploitation, but WAFs, hardened deployment practices, privilege separation and continuous file-integrity monitoring buy time when immediate patching proves difficult.

Also read: Adobe Patch Tuesday Fixes Over 60 Vulnerabilities Across 13 Products

A critical flaw has been identified in a Rust library that demands immediate attention from developers and IT decision-makers leveraging the Rust ecosystem. The vulnerability, tracked as CVE‑2025‑62518, exposes serious remote code execution (RCE) risks in the widely used async tar library ecosystem.  The root of the problem lies in a boundary-parsing error within a key Rust component. The library at the center is the async-tar “family” of crates: the original async‑tar library and its many forks, including the popular tokio‑tar and astral‑tokio‑tar. According to vulnerability listings, versions of astral-tokio-tar before 0.5.6 contain the flaw. NVD records confirm it was published on October 21, 2025.   Researchers at Edera dubbed the vulnerability “TARmageddon” and described it as a boundary-parsing bug in a Rust library that can lead to RCE via file overwriting attacks, such as replacing configuration files or hijacking build back-ends.  

Technical Overview of the CVE‑2025‑62518 Vulnerability 

The issue lies in the inconsistent handling of PAX and ustar headers during TAR-file extraction in the affected Rust library. In some TAR archives, a PAX header may indicate a file size (say X bytes), while the accompanying ustar header incorrectly indicates zero bytes.   The vulnerable library uses the ustar size (zero) when advancing the stream, failing to skip over the actual file data of the nested archive. As a result, the parser misaligns and treats headers of the nested archive as entries in the outer archive. This misalignment allows for: 

• File-overwriting attacks during extraction 
• Supply-chain poisoning via build systems or package managers 
• Bypassing security scanners or manifest checks by hiding nested archives 

In one example scenario, an attacker crafts a malicious archive such that during extraction via the vulnerable Rust library (in a build or CI system), the hidden inner TAR injects or overwrites files unexpectedly, potentially giving the attacker remote code execution (RCE) privileges. 

Scope & affected ecosystem 

Because tokio-tar has over 5 million downloads and has been used widely (often as an indirect dependency), the blast radius is large. Projects known to be impacted include uv (a Python package manager), testcontainers, and wasmCloud.   The complexity is worsened by the fact that the most popular fork (tokio‐tar) appears to be unmaintained (“abandonware”), meaning the fix cannot simply be pushed upstream and inherited automatically. 

Disclosure timeline 

The vulnerability disclosure followed a non-standard, decentralized process because of the upstream abandonment. Key dates: 

• August 21, 2025: Bug discovered by Edera and a minimal repro built. 
• August 22: Patches created and initial disclosures made to library maintainers and select downstream users under a 60-day embargo (ending October 21). 
• September 2: Acknowledgment from the upstream async-tar project. 
• October 21, 2025: Public release of advisory and patches. 

Conclusion  

Organizations using the affected Rust library should act quickly to address CVE-2025-62518, a high-severity RCE vulnerability in the async-tar ecosystem. The safest step is to upgrade to astral-tokio-tar version 0.5.6 or later or migrate away from unmaintained forks like tokio-tar.   If immediate patching isn’t possible, apply mitigations such as sandboxed extraction, file-size limits, and post-extraction scans, and review dependencies for indirect exposure. The TARmageddon flaw highlights that even Rust’s strong safety features can’t prevent logic bugs. 

Meet Sparrow, Cardinal and Proteus. They’re the robots that, step by step, are replacing human workers in the company’s warehouses.

© Hiroko Masuike/The New York Times

Internal documents show the company that changed how people shop has a far-reaching plan to automate 75 percent of its operations.

A cybercriminal group that used voice phishing attacks to siphon more than a billion records from Salesforce customers earlier this year has launched a website that threatens to publish data stolen from dozens of Fortune 500 firms if they refuse to pay a ransom. The group also claimed responsibility for a recent breach involving Discord user data, and for stealing terabytes of sensitive files from thousands of customers of the enterprise software maker Red Hat.

In May 2025, a prolific and amorphous English-speaking cybercrime group known as ShinyHunters launched a social engineering campaign that used voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal.

The first real details about the incident came in early June, when the Google Threat Intelligence Group (GTIG) warned that ShinyHunters — tracked by Google as UNC6040 — was extorting victims over their stolen Salesforce data, and that the group was poised to launch a data leak site to publicly shame victim companies into paying a ransom to keep their records private. A month later, Google acknowledged that one of its own corporate Salesforce instances was impacted in the voice phishing campaign.

Last week, a new victim shaming blog dubbed “Scattered LAPSUS$ Hunters” began publishing the names of companies that had customer Salesforce data stolen as a result of the May voice phishing campaign.

“Contact us to negotiate this ransom or all your customers data will be leaked,” the website stated in a message to Salesforce. “If we come to a resolution all individual extortions against your customers will be withdrawn from. Nobody else will have to pay us, if you pay, Salesforce, Inc.”

Below that message were more than three dozen entries for companies that allegedly had Salesforce data stolen, including Toyota, FedEx, Disney/Hulu, and UPS. The entries for each company specified the volume of stolen data available, as well as the date that the information was retrieved (the stated breach dates range between May and September 2025).

On October 5, the Scattered LAPSUS$ Hunters victim shaming and extortion blog announced that the group was responsible for a breach in September involving a GitLab server used by Red Hat that contained more than 28,000 Git code repositories, including more than 5,000 Customer Engagement Reports (CERs).

“Alot of folders have their client’s secrets such as artifactory access tokens, git tokens, azure, docker (redhat docker, azure containers, dockerhub), their client’s infrastructure details in the CERs like the audits that were done for them, and a whole LOT more, etc.,” the hackers claimed.

Their claims came several days after a previously unknown hacker group calling itself the Crimson Collective took credit for the Red Hat intrusion on Telegram.

Red Hat disclosed on October 2 that attackers had compromised a company GitLab server, and said it was in the process of notifying affected customers.

“The compromised GitLab instance housed consulting engagement data, which may include, for example, Red Hat’s project specifications, example code snippets, internal communications about consulting services, and limited forms of business contact information,” Red Hat wrote.

Separately, Discord has started emailing users affected by another breach claimed by ShinyHunters. Discord said an incident on September 20 at a “third-party customer service provider” impacted a “limited number of users” who communicated with Discord customer support or Trust & Safety teams. The information included Discord usernames, emails, IP address, the last four digits of any stored payment cards, and government ID images submitted during age verification appeals.

The Scattered Lapsus$ Hunters claim they will publish data stolen from Salesforce and its customers if ransom demands aren’t paid by October 10. The group also claims it will soon begin extorting hundreds more organizations that lost data in August after a cybercrime group stole vast amounts of authentication tokens from Salesloft, whose AI chatbot is used by many corporate websites to convert customer interaction into Salesforce leads.

In a communication sent to customers today, Salesforce emphasized that the theft of any third-party Salesloft data allegedly stolen by ShinyHunters did not originate from a vulnerability within the core Salesforce platform. The company also stressed that it has no plans to meet any extortion demands.

“Salesforce will not engage, negotiate with, or pay any extortion demand,” the message to customers read. “Our focus is, and remains, on defending our environment, conducting thorough forensic analysis, supporting our customers, and working with law enforcement and regulatory authorities.”

The GTIG tracked the group behind the Salesloft data thefts as UNC6395, and says the group has been observed harvesting the data for authentication tokens tied to a range of cloud services like Snowflake and Amazon’s AWS.

Google catalogs Scattered Lapsus$ Hunters by so many UNC names (throw in UNC6240 for good measure) because it is thought to be an amalgamation of three hacking groups — Scattered Spider, Lapsus$ and ShinyHunters. The members of these groups hail from many of the same chat channels on the Com, a mostly English-language cybercriminal community that operates across an ocean of Telegram and Discord servers.

The Scattered Lapsus$ Hunters darknet blog is currently offline. The outage appears to have coincided with the disappearance of the group’s new clearnet blog — breachforums[.]hn — which vanished after shifting its Domain Name Service (DNS) servers from DDoS-Guard to Cloudflare.

But before it died, the websites disclosed that hackers were exploiting a critical zero-day vulnerability in Oracle’s E-Business Suite software. Oracle has since confirmed that a security flaw tracked as CVE-2025-61882 allows attackers to perform unauthenticated remote code execution, and is urging customers to apply an emergency update to address the weakness.

Mandiant’s Charles Carmakal shared on LinkedIn that CVE-2025-61882 was initially exploited in August 2025 by the Clop ransomware gang to steal data from Oracle E-Business Suite servers. Bleeping Computer writes that news of the Oracle zero-day first surfaced on the Scattered Lapsus$ Hunters blog, which published a pair of scripts that were used to exploit vulnerable Oracle E-Business Suite instances.

On Monday evening, KrebsOnSecurity received a malware-laced message from a reader that threatened physical violence unless their unstated demands were met. The missive, titled “Shiny hunters,” contained the hashtag $LAPSU$$SCATEREDHUNTER, and urged me to visit a page on limewire[.]com to view their demands.

KrebsOnSecurity did not visit this link, but instead forwarded it to Mandiant, which confirmed that similar menacing missives were sent to employees at Mandiant and other security firms around the same time.

The link in the message fetches a malicious trojan disguised as a Windows screensaver file (Virustotal’s analysis on this malware is here). Simply viewing the booby-trapped screensaver on a Windows PC is enough to cause the bundled trojan to launch in the background.

Mandiant’s Austin Larsen said the trojan is a commercially available backdoor known as ASYNCRAT, a .NET-based backdoor that communicates using a custom binary protocol over TCP, and can execute shell commands and download plugins to extend its features.

“Downloaded plugins may be executed directly in memory or stored in the registry,” Larsen wrote in an analysis shared via email. “Capabilities added via plugins include screenshot capture, file transfer, keylogging, video capture, and cryptocurrency mining. ASYNCRAT also supports a plugin that targets credentials stored by Firefox and Chromium-based web browsers.”

Malware-laced targeted emails are not out of character for certain members of the Scattered Lapsus$ Hunters, who have previously harassed and threatened security researchers and even law enforcement officials who are investigating and warning about the extent of their attacks.

With so many big data breaches and ransom attacks now coming from cybercrime groups operating on the Com, law enforcement agencies on both sides of the pond are under increasing pressure to apprehend the criminal hackers involved. In late September, prosecutors in the U.K. charged two alleged Scattered Spider members aged 18 and 19 with extorting at least $115 million in ransom payments from companies victimized by data theft.

U.S. prosecutors heaped their own charges on the 19 year-old in that duo — U.K. resident Thalha Jubair — who is alleged to have been involved in data ransom attacks against Marks & Spencer and Harrods, the British food retailer Co-op Group, and the 2023 intrusions at MGM Resorts and Caesars Entertainment. Jubair also was allegedly a key member of LAPSUS$, a cybercrime group that broke into dozens of technology companies beginning in late 2021.

In August, convicted Scattered Spider member and 20-year-old Florida man Noah Michael Urban was sentenced to 10 years in federal prison and ordered to pay roughly $13 million in restitution to victims.

In April 2025, a 23-year-old Scottish man thought to be an early Scattered Spider member was extradited from Spain to the U.S., where he is facing charges of wire fraud, conspiracy and identity theft. U.S. prosecutors allege Tyler Robert Buchanan and co-conspirators hacked into dozens of companies in the United States and abroad, and that he personally controlled more than $26 million stolen from victims.

Update, Oct. 8, 8:59 a.m. ET: A previous version of this story incorrectly referred to the malware sent by the reader as a Windows screenshot file. Rather, it is a Windows screensaver file.

The recent mass-theft of authentication tokens from Salesloft, whose AI chatbot is used by a broad swath of corporate America to convert customer interaction into Salesforce leads, has left many companies racing to invalidate the stolen credentials before hackers can exploit them. Now Google warns the breach goes far beyond access to Salesforce data, noting the hackers responsible also stole valid authentication tokens for hundreds of online services that customers can integrate with Salesloft, including Slack, Google Workspace, Amazon S3, Microsoft Azure, and OpenAI.

Salesloft disclosed on August 20 that, “Today, we detected a security issue in the Drift application,” referring to the technology that powers an AI chatbot used by so many corporate websites. The alert urged customers to re-authenticate the connection between the Drift and Salesforce apps to invalidate their existing authentication tokens, but it said nothing then to indicate those tokens had already been stolen.

On August 26, the Google Threat Intelligence Group (GTIG) warned that unidentified hackers tracked as UNC6395 used the access tokens stolen from Salesloft to siphon large amounts of data from numerous corporate Salesforce instances. Google said the data theft began as early as Aug. 8, 2025 and lasted through at least Aug. 18, 2025, and that the incident did not involve any vulnerability in the Salesforce platform.

Google said the attackers have been sifting through the massive data haul for credential materials such as AWS keys, VPN credentials, and credentials to the cloud storage provider Snowflake.

“If successful, the right credentials could allow them to further compromise victim and client environments, as well as pivot to the victim’s clients or partner environments,” the GTIG report stated.

The GTIG updated its advisory on August 28 to acknowledge the attackers used the stolen tokens to access email from “a very small number of Google Workspace accounts” that were specially configured to integrate with Salesloft. More importantly, it warned organizations to immediately invalidate all tokens stored in or connected to their Salesloft integrations — regardless of the third-party service in question.

“Given GTIG’s observations of data exfiltration associated with the campaign, organizations using Salesloft Drift to integrate with third-party platforms (including but not limited to Salesforce) should consider their data compromised and are urged to take immediate remediation steps,” Google advised.

On August 28, Salesforce blocked Drift from integrating with its platform, and with its productivity platforms Slack and Pardot.

The Salesloft incident comes on the heels of a broad social engineering campaign that used voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal. That campaign led to data breaches and extortion attacks affecting a number of companies including Adidas, Allianz Life and Qantas.

On August 5, Google disclosed that one of its corporate Salesforce instances was compromised by the attackers, which the GTIG has dubbed UNC6040 (“UNC” stands for “uncategorized threat group”). Google said the extortionists consistently claimed to be the threat group ShinyHunters, and that the group appeared to be preparing to escalate its extortion attacks by launching a data leak site.

ShinyHunters is an amorphous threat group known for using social engineering to break into cloud platforms and third-party IT providers, and for posting dozens of stolen databases to cybercrime communities like the now-defunct Breachforums.

The ShinyHunters brand dates back to 2020, and the group has been credited with or taken responsibility for dozens of data leaks that exposed hundreds of millions of breached records. The group’s member roster is thought to be somewhat fluid, drawing mainly from active denizens of the Com, a mostly English-language cybercrime community scattered across an ocean of Telegram and Discord servers.

Recorded Future’s Alan Liska told Bleeping Computer that the overlap in the “tools, techniques and procedures” used by ShinyHunters and the Scattered Spider extortion group likely indicate some crossover between the two groups.

To muddy the waters even further, on August 28 a Telegram channel that now has nearly 40,000 subscribers was launched under the intentionally confusing banner “Scattered LAPSUS$ Hunters 4.0,” wherein participants have repeatedly claimed responsibility for the Salesloft hack without actually sharing any details to prove their claims.

The Telegram group has been trying to attract media attention by threatening security researchers at Google and other firms. It also is using the channel’s sudden popularity to promote a new cybercrime forum called “Breachstars,” which they claim will soon host data stolen from victim companies who refuse to negotiate a ransom payment.

But Austin Larsen, a principal threat analyst at Google’s threat intelligence group, said there is no compelling evidence to attribute the Salesloft activity to ShinyHunters or to other known groups at this time.

“Their understanding of the incident seems to come from public reporting alone,” Larsen told KrebsOnSecurity, referring to the most active participants in the Scattered LAPSUS$ Hunters 4.0 Telegram channel.

Joshua Wright, a senior technical director at Counter Hack, is credited with coining the term “authorization sprawl” to describe one key reason that social engineering attacks from groups like Scattered Spider and ShinyHunters so often succeed: They abuse legitimate user access tokens to move seamlessly between on-premises and cloud systems.

Wright said this type of attack chain often goes undetected because the attacker sticks to the resources and access already allocated to the user.

“Instead of the conventional chain of initial access, privilege escalation and endpoint bypass, these threat actors are using centralized identity platforms that offer single sign-on (SSO) and integrated authentication and authorization schemes,” Wright wrote in a June 2025 column. “Rather than creating custom malware, attackers use the resources already available to them as authorized users.”

It remains unclear exactly how the attackers gained access to all Salesloft Drift authentication tokens. Salesloft announced on August 27 that it hired Mandiant, Google Cloud’s incident response division, to investigate the root cause(s).

“We are working with Salesloft Drift to investigate the root cause of what occurred and then it’ll be up to them to publish that,” Mandiant Consulting CTO Charles Carmakal told Cyberscoop. “There will be a lot more tomorrow, and the next day, and the next day.”

At the heart of multiple data breaches against sophisticated and robust companies, including Google, Adidas, Louis Vuitton, and Chanel, was a rudimentary attack method that required little technical finesse—making a phone call.

By disguising themselves as IT support personnel on the phone, hackers belonging to the group “ShinyHunters” successfully tricked the employees at several multinational corporations into handing over the data within their own Salesforce platforms. The attacks underscore the vulnerability that all businesses face—large or small—in preventing cyberattacks that begin through basic social engineering scams.

In a bizarre twist of irony, security researchers at Google Threat Intelligence Group (GITG) originally uncovered the hacking campaign in June, only to announce that Google itself had been hit by the very same tactic this week. Other victims in the hacking campaign include Allianz Life, the airline Qantas, and the jeweler Pandora.

The data breaches all leverage a Salesforce feature that allows users to connect to various, external apps. This functionality allows business owners and employees to, for instance, connect their Salesforce data to mapping tools to visualize the locations of a customer base, or to connect their Salesforce data with a newsletter platform to deliver email marketing campaigns to specific customer segments.  

In the attacks, the hackers trick employees into connecting to a fraudulent version of Salesforce’s “Data Loader” app, which lets users import, export, update, and delete large quantities of data that are stored or managed within Salesforce itself. The process for connecting to an external app is simple, as employees just enter an 8-digit code when prompted by Salesforce. But once ensnared in the phone scam, employees are tricked into entering an 8-digit code that will connect to a data exfiltration program owned and operated entirely by the hackers.

Once connected, the hackers are free to roam inside the company’s Salesforce data and steal what they see fit. Some attacks reportedly included an expansion by the hackers into other corporate online accounts, including Microsoft 365, which could reveal a company’s emails and other sensitive messages.

In the attack against Google, the hackers accessed a Salesforce “instance,” which is a term used to describe a company or user’s implementation of software and the data they manage through that software (Think of it like when a hacker breaches an online account and then pilfers all the data related to that account and what it can access). In the Google attack, the Salesforce instance “was used to store contact information and related notes for small and medium businesses.”

“Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,” Google said. “The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details.”

According to the outlet Bleeping Computer, the ShinyHunters cybercrime group is still stealing business data through this attack campaign. Once the hackers have the data, they then extort the victims to pay a hefty ransom or risk having the data exposed online.

How to stay safe from the Salesforce scam

Because this attack is so targeted—every corporate victim uses Salesforce—the defense strategies are clear and actionable. Here’s how you can help yourself and your staff in avoiding this attack.

• Audit your Salesforce access. Ensure that the only employees or staff who have access to Salesforce are those who need to use it for their job. When there are fewer employees who can access Salesforce, there are fewer entry points for hackers.
• Train your staff. Recognizing a social engineering scam is important for any workforce, no matter the size. Inform your employees and yourself about your current IT support provider so that any rogue phone calls are immediately caught.
• Use multifactor authentication (MFA) for important accounts. The hackers in these attacks managed to gain access to other cloud applications like Microsoft 365. Protect all your employee accounts on sensitive platforms with MFA.

Social engineering scams are some of the most effective and serious threats to small businesses. It’s important to recognize them when they happen. And for all else, use always-on cybersecurity to protect your business from malware, viruses, and nefarious break-in attempts.

At its broadest, the collection spanned from the New Jersey nuptials of David Thomas and Helena Van Boskerk in June 1728 ("the first Year of the Reign of our Sovereign Lord GEORGE the Second") to the 2013 marriage of Loreen M. Bloodgood and Alicia A. Terrizzi, the first same-sex couple to wed in Pennsylvania, before it was even clear their union would be recognized in the commonwealth. Gold-Bikin framed scores of these marriage mementos and displayed them in the hallways of the Norristown, Pennsylvania, law firm where she worked as one of the country's top divorce attorneys. from First Comes Love [Jstor]