Scattered spider arrests, car exploits, MacOS malware, Fortinet RCE, etc.

Table of Contents

In cybersecurity, accuracy is important and there is little room for error. A small mistake, missed setting, or a quiet misunderstanding can quickly lead to much bigger issues. The signs seen this week highlight the deeper issues behind what may seem like everyday tools. Obsolete tools, slow response to risk, and the ongoing gap between compliance and actual security.

For those responsible for protecting the system, keys don’t just respond to alerts. It recognizes the larger patterns and hidden weaknesses they reveal.

Here’s a breakdown of what’s rolling out across the cybersecurity world this week.

⚡This week’s threat

NCA arrested on suspicion of scattered spider members – The UK National Criminal Agency (NCA) has announced that four people have been arrested in connection with a cyberattack targeting major retailers Marks & Spencer, the Co-ops and Harrods. Individuals arrested include two men, a 19-year-old, a third woman, a 17-year-old, and a 20-year-old woman. They were arrested in the West Midlands and London on suspicion of violation of computer misuse laws, fearful mail, money laundering, and participation in the activities of organized crime groups. They are thought to be associated with the infamous cybercriminal group known as scattered spiders. This is a derivative of the loose knee group called com, responsible for the catalogue of enormous crimes such as social engineering, phishing, sim swapping, tor, sextortor, sw temptation, trickery, murder and more.

🔔Top News

Perfektblue Bluetooth defect – Cybersecurity researchers have discovered a set of four security flaws in Opensynergy’s Bluesdk Bluetooth stack. “PerfektBlue exploitation attacks are a set of critical memory corruption and logical vulnerabilities found in the OpenSynergy Bluesdk Bluetooth stack, and should be chained together to obtain remote code execution (RCE),” said PCA Cyber Security. Volkswagen said the issues identified are related solely to Bluetooth, and neither the safety or integrity of the vehicle has been affected. We also noted that exploitation of vulnerabilities is possible only if several conditions are met simultaneously.
North Korean hackers behind fraudulent IT workers schemes have been approved – The U.S. Treasury Department’s Office of Foreign Assets Administration (OFAC) approved members of a North Korean hacking group called Andariel on Tuesday for their role in the infamous Remote Information Technology (IT) worker scheme. Song Kum Hyok, 38, is said to have used foreign employed IT workers to seek remote employment with US companies and planned to split income, allowing fraud. Sanctions are only marked when threat actors linked to Andariel, a subcluster within the Lazarus group, are tied to an IT worker scheme. “The Ministry of Finance’s announcement marks the official public association between Andariel (APT45) hacking group and North Korea’s remote IT worker operations, but the connection reflects a much broader and long-term pattern,” Michael “Barni,” Principal I3 Insider risk investigator at DTEX told Hacker News.
Chinese hackers arrested in silk typhoon attack – Chinese citizens have been arrested in Milan, Italy for linking with a hacking group sponsored by a state known as the Silk Typhoon and carrying out cyberattacks on American organizations and government agencies. Xu Zewei, 33, has been accused of being involved in a US computer invasion between February 2020 and June 2021. This includes mass attacks that leveraged the then zero-day flaws of Microsoft Exchange Server, a Windows Maker cluster designed by Windows Maker, designed as Hafnium. Xu, along with the co-defendant and China’s National Zhang Yu, is believed to have embarked on the attack based on instructions issued by the State Department (MSS) Shanghai State Security Bureau (SSSB).
Threat weaponizes leaked versions of shelter to decentralized steelers – Hackers use a popular red teaming tool called shelters to distribute steeler malware and remote access trojans. The campaign is believed to have started in April 2025. This is roughly the same as the company that procured an authorized version of the software leaked a copy to the Cybercrime forum. “While shelter projects are victims of this case through intellectual property loss and future development times, other participants in the security space must contest the real threats wielding more competent tools,” Elastic Security Labs said.
Fortinet Patch Important SQL Injection Defects – Fortinet has released fixes for critical security flaws affecting FortiWeb. This allows an unrecognized attacker to execute any database command on the sensitive instance. Tracked as CVE-2025-25257, the vulnerability has a CVSS score of 9.6 out of 10.0. According to WatchTowr Labs, the issue is rooted in the fact that the bearer token authentication header of a specially created HTTP request is passed directly to the SQL database query without proper sanitization, making sure that it does not contain malicious code that is not harmful. Disclosures are made by SONAR in Fortinet’s Forticlient (CVE-2025-25251, CVE-2025-31365, CVE-2025-22855, CVE-2025-22859, and CVE-2025-31366) as detailed several vulnerabilities. CVE-2025-22859 “Authorized attackers will allow them to upload saved XSS payloads to Linux-based EMS servers,” said security researcher Yaniv Nizry. “Utilizing this vulnerability, an attacker will manipulate EMS users to click on malicious links and force all registered endpoints to switch connections to malicious EMS servers without client interaction.

Pean Trend CVE

Hackers jump quickly to a newly discovered software flaw. Sometimes within a few hours. Whether you missed an update or a hidden bug, even one unpatched CVE can open the door to serious damage. Below is how to create a wave of high-risk vulnerabilities this week. Check the list, patch quickly, and go one step ahead.

This week’s list includes CVE-2025-47227, CVE-2025-47228 (ScriptCase), CVE-2025-24269, CVE-2025-30012, CVE-2025-42963, CVE-2025-42966 and CVE-2025-42980 (SAP), CVE-2025-52488 (DNN), CVE-2025-44954, CVE-2025-44955, CVE-2025-44957, CVE-2025-44958, CVE-2025-44960, CVE-44961, CVE-2025-44962, CVE-2025-44963, CVE-2025-6243 (Ruckus Wireless), CVE-2025-52434, CVE-2025-52520, CVE-2025-53506 (Apache Tomcat), CVE-2025-6948 (GETLAB CE/EE) CVE-2025-0141 (Palo Alto Networks GlobalProtect App), CVE-2025-6691 (Sureforms plugin), CVE-2025-7206 (D-Link DIR-825), CVE-2025-32353, CVE-2025-32874 CVE-2025-7027, CVE-2025-7028, CVE-2025-7029 (Gigabyte Uefi), CVE-2025-1727 (Train End and Train Devices), and the Pipapo Set Module for Linux Kernels.

Cyber Around the world of cyber

Atomic Stealer gets backdoor functionality – MacOS Information Stealer, known as Atomic Stealer (aka AMOS), is updated with an embedded backdoor to gain permanent access to compromised systems. The new components allow you to execute any remote command, gain full user-level access, survive reboots, and allow attackers to control infected hosts indefinitely. According to MoonLock Lab, Atomic’s distribution campaign has recently moved from a wide range of distribution channels like cracked software sites to targeted phishing targeted cryptocurrency owners, using staged job interview invitations to infect freelancers. The US, France, Italy, the UK and Canada are among those affected by Steeler malware. This is just the second known case of a global backdoor deployment targeting North Korea. “The upgrade to AMOS represents a major escalation in both capabilities and intent, whether the changes were made by the original malware creator or if someone else changed the code,” the company said. “It is clear that the Atom Makos Steeler’s Russian author follows in the footsteps of North Korean attack groups.”

Call of Duty Maker takes the game offline after reporting RCE exploits – The makers of Call of Duty: World War 2 have announced that the PC version of the game has gone offline following “reporting the issue.” This issue appears to be a security issue, particularly a vulnerability in the remote code execution (RCE) of popular video games that allow attackers to take over other PCs during live multiplayer matches. We found that RCE exploits were abused to open command prompt on victim PCs and send mocking messages via notepad, especially to force shutdown the player’s computers and so on. Activision has not officially commented on the issue, but is said to be working on fixing the bug.
BaitTrap uses sites over 17K to push scams – A network of over 17,000 websites mimics trustworthy brands, including CNN, BBC and CNBC, redirecting visitors to online scams. BaitTrap Network invites victims using Google and Meta ads, social media posts, and YouTube videos. Fake sites usually try to collect personal information and hijack online cryptographic accounts. They target audiences from over 50 countries around the world. The site publishes fake stories featuring prominent public figures, including national leaders and central bank governors, and mislinks those numbers to “an investment scheme manufactured to build and engage with victims.”
Dutch police arrest five members of a phishing gang – Dutch police have arrested five members of a fishing gang that operated in the city of Releasetad. Four of the group’s members are teenagers aged 14-17. Authorities said the suspect used a QR code sent via email to collect login credentials from the local bank. In developing related law enforcement agencies, Nepali authorities have arrested 52 people allegedly carrying out online dating and crypto investment scams. The group ran a call centre and a dating app called Metoo, inviting young Nepali women to promote fraudulent online trading. Six of the suspects detained were Chinese and are believed to have managed the business.
German court orders Meta pays 5,000 euros over a violation of GDPR – A German court has determined that Meta must pay 5,000 euros ($5,900) euros ($5,900) to a German Facebook user who sued the platform to embed pixel tracking technology on third-party websites. The ruling could open the door to massive fines over data privacy violations related to similar tracking tools. The Leipzig Regional Court in Germany has collected user data without consent from meta tracking pixels embedded in countless websites and apps and software development kits, and has determined that it violates the Continental General Data Protection Regulation (GDPR). “Every user can always be identified in the meta as soon as they access third-party websites or use the app, even if they are not logged in via their Instagram and Facebook accounts,” the court said.
LFI defects in Microsoft export to PDF functionality – The local file inclusion (LFI) vulnerability was disclosed in exporting to Microsoft 365’s PDF functionality, allowing attackers to access sensitive internal data when converting HTML documents to PDF. The vulnerability reported by security researcher Gianluca Baldi was subsequently patched by Microsoft and earned a $3,000 reward. “It turns out there are undocumented behaviors that allow you to convert HTML to PDF files,” Baldi said. “By embedding a specific tag (,
Ruckus Wireless’s fraud – Several accrued security flaws have been disclosed (CVE-2025-44954, CVE-2025-44955, CVE-2025-44957, CVE-2025-44958, CVE-2025-44960, CVE-2025-44961, CVE-2025-44962 CVE-2025-44963, and CVE-2025-6243) Ruckus Wireless Management Products Virtual SmartZone (VSZ) and Network Director (RND) can be exploited by attackers, leaking sensitive information and breaching your wireless environment. Defects include authentication bypassing, hard-coded secrets, any files read by authenticated users, and unauthenticated remote code execution. “Attackers with network access to Ruckus Wireless VSZ can leverage CVE-2025-44954 to gain full admin access that leads to a complete compromise in the VSZ wireless management environment,” CERT/CC said. “In addition, multiple vulnerabilities can be chained to create chain attacks that allow attackers to combine attacks to bypass security controls that prevent only certain attacks.” Claroty Team82’s Noam Moshe is believed to have discovered and reported the issue. If there is no patch, users are advised to restrict access to trusted users and their authenticated clients in order to manage their infrastructure through secure protocols such as HTTP and SSH.
Gigabyte UEFI security flaws – Multiple security flaws are disclosed in UEFI modules that exist in Gigabyte firmware (CVE-2025-7026, CVE-2025-7027, CVE-2025-7028, and CVE-2025-7029). UEFI support processor. “Attackers with local or remote management privileges could exploit these vulnerabilities to run arbitrary code in system management mode (Ring-2), bypassing OS-level protection,” CERT/CC said. “These vulnerabilities can be triggered from within the operating system before the OS is fully loaded, or, in certain cases, via SMI handlers during early boot phase, sleep state, or recovery mode.” The successful exploitation of the vulnerability disables UEFI security mechanisms such as secure boot and Intel BootGuard, facilitating stealth firmware implants, allowing permanent control of the system. The defect was discovered and reported by Binarly.
Android didn’t have a patch for the first time in July 2025 for the first time in 10 years – Google announced in July 2025 that no security patches have been released for Android and Pixel devices, ending its 10-year winning streak of security updates. This is not the first month since Google began rolling out Android fixes every month in August 2015.
Indonesia hand over Russian citizens to sell personal data about telegrams – Indonesia has handed over a Russian citizen named Alexander Zverev, who is allegedly running a telegram channel that sold personal data obtained from law enforcement databases. Russian authorities claimed that Zverev operated an unnamed criminal network between 2018 and 2021, profiting from the sale of sensitive personal information provided from databases belonging to the Russian Ministry of Interior (MVD), the Federal Security Agency (FSB), and mobile phone operators. It is said that Telegram Channel subscribers can purchase details about Russian citizens, including personal information. Officials have not said the channel’s name or whether it is currently in operation.
Law enforcement catches up to ransomware actors – The Brussels Criminal Court sentenced Russian Kolak ransomware developers to seven years in prison for masterminding the deployment of malware on thousands of computers. The woman involved in promoting and negotiating with the victims of his former co-conspirator, Crylock, was sentenced to five years. Over 60 million euros ($70 million) of cryptocurrencies representing illegal revenue from ransomware operations have been seized by law enforcement. This development came as French authorities arrested a 26-year-old Russian basketball player on suspicion of his role in a ransomware attack. Danil Casatkin was arrested at Charles de Gaulle Airport in Paris on June 21, 2025 at the request of US authorities. Kasatkin is said to have helped an unnamed ransomware gang negotiate the ransom. Casatkin’s lawyer denied the charges and argued that his client lacked technical skills. “He bought a second-hand computer. He did nothing at all. He was shocked,” his lawyer, Frederick Bellott, told AFP. “He’s useless on a computer and can’t even install an application. He didn’t touch the computer anything. It was hacked or a hacker sold it to him and acted under the cover of another person.” He is currently pending extradition to the US, and is said to have been involved with ransomware group Kasatkin, but has allegedly attacked around 900 companies. The US Federal Bureau of Investigation (FBI) recently said it is aware of the 900 organizations that the Play Ransomware Group has been a hit.
ransomedVC will return after the break. Leak Medusa data – The RansomedVC Ransomware Group has returned after two years of absence. From December 11, 2022 to March 2023, we leaked our internal chat transcripts for the Medusalansomware Group. Ransomed VC “appears to be completely present and unresponsive to the needs of his members.” “From an analysis of transcripts and previous events, the group highlights that the SQLI vulnerability was exploited by the group in 2024 and that the current leaked chat referring to “Forti” dates back to 2023, so the group is primarily focused on targets for Fortinet access.” This development coincides with the emergence of new players, including Bert. SafePay, another ransomware group that came out last year, has become “one of the most active and dangerous actors” targeting primarily managed service providers (MSPs) and small and medium-sized businesses (SMBs). “The group uses classic and effective techniques, including RDP and VPN-based intrusions, qualification theft, privilege escalation, and stay binaries. Ransomware attacks on businesses around the world rose 213% in the first quarter of 2025, with 2,314 victims reporting 74 different data breach sites, compared to just 1,086 in the first quarter of 2024.
Workers who were imprisoned for cyber attacks were frustrated – Mohammed Umar Taj, 31, of Heist Garth in Batley, UK, has been sentenced to seven months and 14 days in prison for unlawfully accessing a former employer’s facility, changing his login eligibility and destroying the company’s business due to changes in access eligibility and multifactor authentication configuration. He was suspended from work in July 2022.
Hackers behind GMX Exchange return assets -The unknown hacker behind the $42 million theft by a decentralized exchange GMX has returned the stolen assets in exchange for a $5 million bug award. The development came after GMX promised not to pursue the fee if the hackers returned the funds. In its posthumous report, the company said it addressed the underlying cause in subsequent updates. “Based on a review of the case by contributors, auditors and security researchers, the underlying cause of exploitation is a recurrence attack,” he said. “By taking advantage of this recurrence to bypass the average short price calculation, the attacker was able to open up positions and manipulate the average short price of BTC down from the initial value of 109,505.77 to $1,913.70.”
Thermomix TM5 appliance defects – Security analysis of Thermomix TM5 revealed some weaknesses that could make kitchen appliances susceptible to firmware downgrade attacks (limited to versions prior to 2.14; version 2.14). “This vulnerability can be chained with firmware downgrade vulnerabilities to gain arbitrary code execution and apply controlled firmware update files without ruining NAND flash,” Synacktiv said. “By taking advantage of these flaws, you could change firmware version blocks to bypass anti-downgrade protection, downgrade firmware, and execute arbitrary code.”
API client security is risky in detail – Analysis of API clients such as Postman, Insomnia, Bruno, Hoppscotch reveals potential vulnerabilities within JavaScript sandboxing implementations. “Of course, running untrusted code without being isolated is a bad idea, but it’s also a problem with using seemingly working solutions, such as Node.JS’s built-in VM modules and third-party VM2 packages.” “It’s known that there is a bypass that allows malicious code to escape from the sandbox and access system resources.”
Ubuntu turns off Intel GPU security mitigation – Ubuntu has disabled security features to protect Intel GPUs against Specter side-channel attacks. Canonical said that it no longer requires these safeguards as it is currently using kernel-level protection. Ubuntu developers can expect to see a 20% operating system with performance improvements after the update. “After discussing between Intel and Canonical security teams, I agree that there is no longer a need to mitigate Specter for GPUs at the Compute Runtime level,” Ubuntu Maintenance said. “At this point, the Spectre has been mitigated in the kernel, and clear warnings from the compute runtime builds serve as notifications for those running the kernel that has been fixed without these patches. For these reasons, we feel that the Spectre Mightier, a Computing Runtime, no longer provides enough security impact to justify the current performance trade.”
Botnet engages in web scraping – New botnets with over 3,600 unique IP addresses have been observed to be involved in web scraping activities since at least April 19, 2025. The majority of botnet infected hosts are located in Taiwan, Japan, Bulgaria and France. “Taiwan’s control of IP space could suggest that common technologies or services that are widely deployed in Taiwan are being compromised or that local exposure to shared vulnerabilities is driving clustering,” the threat intelligence company said.
The Czech Republic will become the latest country to warn about deepseeks – The Czech cybersecurity agency, the National Cyber Information Security Agency (Núkib), has issued a formal warning detailing the national security risks posed by the use of software provided by Chinese artificial intelligence company Deepseek. “Major security concerns can lead to subnames of users from poorly transmitted and handling data, gathering more data types, and finally, arising from the legal and political environment of the Republic of China, which Deepseek is fully covered,” Núkib said. To that end, the government has banned the use of DeepSeek on state-owned devices and urged its public to be aware of information shared with the platform. However, Núkib said the decision does not apply to the open source large-scale language model (LLMS) developed by DeepSeek, provided that Source Code is made available for reviews and can be deployed locally without contacting servers associated with DeepSeek or its related entities. Several other countries, including Canada, Germany, Italy, the Netherlands, South Korea and Taiwan, have issued similar warnings.
Tiktok comes under the EU radar again – The Irish Data Protection Commission (DPC) said it would begin an investigation into Tiktok regarding the transfer of European Union user data to servers located in China. “The purpose of the investigation is to determine whether Tiktok complies with related obligations under the GDPR based on current issues. The development will take place just two months from 530 million euros ($620 million) by transferring European users’ data to China and allowing Chinese-based staff to access European user data. Tiktok, owned by Chinese ordinances, has been subject to intense scrutiny on both sides of the Atlantic about how individual user information is processed amid concerns that it poses national security risks. In accordance with the region’s strict data protection laws, European user data can only be transferred outside the block if it is in place to ensure the same level of protection.” Tiktok is also facing the UK heat after the UK data regulatory authority, the Information Commission (ICO), has determined that it has the authority to issue financial penalty notices (MPNs) to Tiktok. The ICO fined Tiktok in 2023, but the company argued that “the “special purpose” provisions were applied because its processing is an artistic purpose.”
Google Details Advanced Android Protection – In May 2025, Google launched Advanced Protection. This “ensures that all the best Android security features are enabled and that they work seamlessly together to protect you from online attacks, harmful apps and data risks.” Like lockdown modes for Apple iOS, iPados and MacOS devices, Advanced Protection aims to provide improved guardrails for journalists and other high-risk targets. Google Chrome includes always using a secure connection, using complete site isolation on mobile devices with 4GB+ RAM to keep malicious sites away from legitimate sites, and disabling JavaScript optimizations.
Satan Rock announces a sudden shutdown – Satan Lock, a new ransomware group on threat landscapes, has announced it will be closed. The exact reason behind the sudden movement is unknown. The group first appeared in early April and announced 67 casualties within a month. However, Check Point found that 65% of these victims were already listed by other ransomware groups.
Russia rejects laws that legalize white hat hacking – The territory of the Russian state has rejected laws that legalize ethical hacking, citing national security concerns. Politicians expressed concern that finding vulnerabilities found in software created by companies headquartered in hostile countries would require them to be shared.
GitHub Repos is used to distribute malware as a free VPN – It has been observed using GitHub to use it to staging steeler malware like lumma, and threat actors disguise them as “free VPN and Minecraft Skin Changer for PCs.” “An analysis of the ‘Free-VPN-for-PC’ sample revealed that behind the seemingly legal facade acts as a sophisticated malware dropper designed to port Lumma Stealer,” Cyfirma said. “The dropper impersonating a useful tool uses multiple layers of obfuscation, memory execution, and process injection to avoid detection. The same malware has also been repackaged under the name “Minecraft Skin.”
NFC-enabled scams target the financial sector of the Philippines – The Chinese mobile malware syndicate, which relies on NFC relay attacks, is currently spreading across the Philippines, the response revealed. “Major underground stores managed by Chinese cybercriminals list the Philippines as one of the most affected regions based on the amount of credit cards (CCS) they have compromised,” the company said. Other top regions targeted by Chinese cybercriminals include Australia, Taiwan, Malaysia, New Zealand, Singapore, Thailand, Hong Kong, South Korea and Indonesia. These groups are active in telegrams, so fraudsters can get compromised cards and use microcharges executed via fraudulent merchants set up by Chinese cybercriminals to see if they are valid. Attackers can use tools such as Z-NFC, X-NFC, Super Card X, and Track 2NFC to clone stolen card data and execute rogue transactions using NFC-enabled devices.
GitPhish Tools to Automate GitHub Device Code Phishing – Cybersecurity researchers leveraged the OAUTH 2.0 device authentication grant to demonstrate a new initial access vector that compromises the organization’s GitHub repository and software supply chain. This technique, known as device code phishing, employs social engineering tricks to trick the entry of an 8-digit device code by clicking on a link provided by an attacker, which could lead to a complete compromise on your organization’s GitHub repository and software supply chain. It is worth noting that device code phishing is being used by suspected Russian actors to access Microsoft accounts. “We explicitly designed Gitphish for security teams who are trying to carry out device code phishing assessments on GitHub and build detection capabilities,” says Praetorian. “Red teams can simulate realistic attack scenarios to test organizational resilience, but detection engineers can verify their ability to identify suspicious OAuth flows, anomalous GitHub authentication patterns, and potential social engineering attempts.”
There are plenty of malicious browser extensions – A set of 18 malicious extensions with 2.3 million downloads on Google’s Chrome Web Store and Microsoft Edge add-ons were found to incorporate the ability to track user site visits, steal browser activity and redirect to potentially insecure sites. These add-ons come as productivity and entertainment tools across a variety of categories, including color pickers, emoji keyboards, weather forecasts, video speed controllers, discord and tiktok VPN proxy, dark themes, volume boosters, YouTube Un blockers, and more. They provide advertised features, but they provide the perfect cover to hide browser monitoring and hijacking features. This activity is called the codename reddirection by KOI security. The campaign is happening because the extension started as a benign tool and malicious code was introduced later via updates. Last month, Layerx revealed that it had identified a network of malicious “sleeper agent” extensions that are likely to be set as a stepping stone for future activities. These extensions have been identified as having been installed nearly 1.5 million times. One extension that is common to both these clusters is “Volume Max – Ultimate Sound Booster” (Extension ID: mgbhdehiapbjamfgekfpebmhmnmmcmemg). This disclosure coincides with another campaign revealed by Secure Annex, called Mellotel, which changed hundreds of extensions that incorporated the Mellotel library into a distributed web scraping network. The extension has been collectively referred to almost 1 million times. “We discovered a new monetization library developed by Mellowtel, which pays the extension developers in exchange for the ‘unused bandwidth’ of users with the extension installed,” says John Tuckner. The library dates back to an individual named Arslan Ali, who is also the founder of a company called Olostep, who claims to provide “the world’s most reliable and cost-effective web scraping API.” Scraping requests from Olostep are thought to be distributed to any of the active extensions running the Mellowtel library. Mellowtel then responds and states that it will not collect or sell user personal data. “Instead of collecting user data, tracking users across the web and displaying ads nonstop, we’re building a monetization engine for developers based on bandwidth/resource sharing,” Ali says.

🎥Cybersecurity Webinar

Stop “PIP Installation and Prayer”: How to Protect Your Python Supply Chain in 2025 – Repo Jack, Type Slicing, and Poison Containers are turning trustworthy tools into attack vectors. Whether you’re managing your infrastructure or writing code, securing your Python environment is no longer an option. Learn how to control the attacker before it does.
From Login Fatigue to AI Fatigue: Ensuring your identity in 2025 – AI streamlines logins, but also raises alarm bells. Customers are growing cautiously about how their data is being used, making trust difficult to gain. The webinar reveals how big brands are reshaping their digital trusts while reshaping their safe and user-friendly state.
Attacking bots from a copilot: Fixed AI identity layer – As AI Copilots and agents become mainstream, attackers are using the same tools to bypass logins, impersonate users, and exploit APIs. In this webinar, Okta reveals how to outweigh the AI threat by making his ID the first and final line of defense.

🔧Cybersecurity Tools

Bitchat – Just Bluetooth, a tool that allows you to chat without an internet, a server, or phone number. Build a local mesh network between nearby devices, allowing for completely offline communication. Public group chat is safe and usable. Private messaging and channels are still under development and have not been reviewed externally, so they are not yet recommended for sensitive conversations.
Gitphish – A tool for testing GitHub’s device login flow in a security research environment. It helps to stimulate phishing style attacks by creating fake login pages and creating token capture, tracking activities. Built for ethical testing and includes dashboards, auto-deployment and logging. All of these are intended for use only in safe and approved environments.

Disclaimer: These newly released tools are for educational use only and have not been fully audited. Use at your own risk – refer to the code, test it safely, and apply appropriate protection measures.

🔒Tip of the Week

Automatically map known vulnerabilities across the stack – Manually checking the CVE is slow, incomplete and easily misunderstood. Instead, use automated tools that correlate software versions with known vulnerabilities across your environment.

Let’s start with nmap Tools like cvescannerv2 or The vulnerable nse Scan live services for published software versions and match them to the CVE database. For deeper insights:

Use tools like the following Nuclear (Customized vulnerability template), Magician (Container + System CVE), and Groip (SBOM-based scan).
Monitor third-party components and Scanners such as or Dependency track If you are building software.
Set up a scheduled scan Use tools that integrate with the ticketing system to ensure that your team actually acts on the findings.

Finally, Removes noise– All CVEs are not worth patching. Focus on CVEs with public exploits, high CVSS scores, and exposure to users or attackers.

About tips: We always validate our findings using actual exploitability rather than just a version match.

Conclusion

It’s not just the scale of the incident that stands out this week. That’s how tools, platforms, and even browser extensions are quietly directed at us. From red team software reappearing as malware loaders to coding libraries that allow stealth attacks, the line between legitimate use and exploitation is hard to see. If a trusted environment becomes part of the attack chain, security teams need to not only apply patches, but also question assumptions about what is safe by default.

To move on means paying attention to what is already inside the gate as much as what you are about to break in.