VPN Vulnerabilities, Oracle's Quiet Patch, and a ClickFix Malware Spike Lead This Week's Security News
This week's cybersecurity landscape paints a stark picture: every unpatched vulnerability, compromised credential, and neglected plugin presents a potential entry point for malicious actors. Supply chain risks are escalating, with threats lurking within trusted code, and malware is increasingly sophisticated, infiltrating not only suspicious applications, but also job solicitations, hardware components, and cloud services.
In today's world, it's a harsh reality: every unpatched system, every leaked password, and every plugin you forgot about is a potential entry point for attackers. Supply chains run deep, weaving through code we often blindly trust. And malware? It's not just lurking in shady apps anymore. It's hiding in plain sight – in job offers, hardware, and even cloud services we depend on every single day.
The bad guys don't even need fancy zero-days all the time. Sometimes, all they need is your credentials and a bit of clever social engineering to walk right in.
This week, we're looking at how simple mistakes can snowball into major security disasters, and the quiet threats that are still flying under most companies' radars.
So, let's get started.
⚡ Threat of the Week
UNC5221 Exploits New Ivanti Flaw: A Chinese cyber espionage group, UNC5221, has been spotted exploiting a patched vulnerability (CVE-2025-22457) in Ivanti Connect Secure. They're using it to deliver some nasty payloads: a dropper called TRAILBLAZE, a backdoor named BRUSHFIRE, and the SPAWN malware suite. Ivanti patched this back in February, so it looks like UNC5221 reverse-engineered the fix to target older, unpatched systems. This group is also known as APT27, Silk Typhoon, and UTA0178, if you're keeping track at home.
🔔 Top News
- EncryptHub Unmasked as a Lone Wolf: Turns out, the rising threat actor known as EncryptHub got exposed due to some pretty basic security mistakes. What's wild is that this person was also contributing to legitimate security research at the same time, even getting props from Microsoft for reporting vulnerabilities! They were also using OpenAI's ChatGPT to help write malware and translate stuff. In one chat, EncryptHub even asked ChatGPT if they should be a "black hat or white hat" hacker, and confessed to their crimes. As Outpost24 put it, "many hackers are normal people who at some point decided to follow a dark path."
- GitHub Supply Chain Attack: SpotBugs Token Theft: That supply chain attack that hit Coinbase and other users of the "tj-actions/changed-files" GitHub Action? It's been traced back to the theft of a personal access token (PAT) from the SpotBugs open-source project. The attacker compromised SpotBugs in November, then used that access to compromise "reviewdog/action-setup," which then led to the "tj-actions/changed-files" infection. The maintainer of reviewdog had access to SpotBugs, which made it all possible. The attackers were ultimately able to expose secrets in 218 repositories after failing to breach Coinbase directly.
- Contagious Interviews & Fake npm Packages: The North Korean hackers behind the Contagious Interview campaign are now using the ClickFix social engineering tactic to spread a new backdoor called GolangGhost. They've also uploaded 11 fake npm packages containing the BeaverTail stealer and a new RAT loader. These packages were downloaded over 5,600 times before being removed. These North Korean IT workers are also trying to get jobs all over the world, especially in Europe, using fake references and vouching for each other. And if they get caught, they're now trying to extort money from the companies. As the US government cracks down, these groups are becoming more aggressive to maintain revenue streams.
- Fake Android Phones Preloaded with Malware: Watch out for counterfeit Android phones! They're being sold cheap, but they come with a pre-installed version of the Triada malware. Most of these infected devices have been found in Russia.
