thedfirreport.com - Bumblebee malware has been an initial access tool used by threat actors since late 2021. In 2023 the malware was first reported as using SEO poisoning as a delivery mechanism. Recently in May of 2025 Cyjax reported on a campaign using this method again, impersonating various IT tools. We observed a similar campaign in July in which a download of an IT management tool ended with Akira ransomware.
In July 2025, we observed a threat actor compromise an organization through this SEO poisoning campaign. A user searching for “ManageEngine OpManager” was directed to a malicious website, which delivered a trojanized software installer. This action led to the deployment of the Bumblebee malware, granting the threat actor initial access to the environment. The intrusion quickly escalated from a single infected host to a full-scale network compromise.
Following initial access, the threat actor moved laterally to a domain controller, dumped credentials, installed persistent remote access tools, and exfiltrated data using an SFTP client. The intrusion culminated in the deployment of Akira ransomware across the root domain. The threat actor returned two days later to repeat the process, encrypting systems within a child domain and causing significant operational disruption across the enterprise.
This campaign affected multiple organizations during July as we received confirmation of a similar intrusion responded to by the Swisscom B2B CSIRT in which a malicious IT tool dropped Bumblebee and also ended with Akira ransomware deployment.
The Wiz Research team has discovered a chain of critical vulnerabilities in NVIDIA's Triton Inference Server, a popular open-source platform for running AI models at scale. When chained together, these flaws can potentially allow a remote, unauthenticated attacker to gain complete control of the server, achieving remote code execution (RCE).
This attack path originates in the server's Python backend and starts with a minor information leak that cleverly escalates into a full system compromise. This poses a critical risk to organizations using Triton for AI/ML, as a successful attack could lead to the theft of valuable AI models, exposure of sensitive data, manipulating the AI model's responses and a foothold for attackers to move deeper into a network.
Wiz Research responsibly disclosed these findings to NVIDIA, and a patch has been released. We would like to thank the NVIDIA security team for their excellent collaboration and swift response. NVIDIA has assigned the following identifiers to this vulnerability chain: CVE-2025-23319, CVE-2025-23320, and CVE-2025-23334. We strongly recommend all Triton Inference Server users update to the latest version. This post provides a high-level overview of these new vulnerabilities and their potential impact.
The enclosed work is the latest in a series of NVIDIA vulnerabilities we’ve disclosed, including two container escapes: CVE-2025-23266 and CVE 2024-0132.
Mitigations
Update Immediately: The primary mitigation is to upgrade both the NVIDIA Triton Inference Server and the Python backend to version 25.07 as advised in the NVIDIA security bulletin.
Wiz customers can use the following to detect vulnerable instances in their cloud environment:
Wiz customers can use the Vulnerability Findings page to find all instances of these vulnerabilities in their environment, or filter results to instances related to critical issues. Alternatively, you can use the Security Graph to identify publicly exposed vulnerable VMs/serverless or containers.
Wiz Advanced customers can filter on findings identified or validated by the Dynamic Scanner, and Wiz Sensor customers can filter on runtime validated findings.
Wiz Code customers can filter on findings with one-click remediation to generate a pull request with fixes for vulnerable instances detected in code repositories.
therecord.media - Multiple cybersecurity incident response firms are warning about the possibility that a zero-day vulnerability in some SonicWall devices is allowing ransomware attacks.
Ransomware gangs may be exploiting an unknown vulnerability in SonicWall devices to launch attacks on dozens of organizations.
Multiple incident response companies released warnings over the weekend about threat actors using the Akira ransomware to target SonicWall firewall devices for initial access. Experts at Arctic Wolf first revealed the incidents on Friday.
SonicWall has not responded to repeated requests for comment about the breaches but published a blog post on Monday afternoon confirming that it is aware of the campaign.
The company said Arctic Wolf, Google and Huntress have warned over the last 72 hours that there has been an increase in cyber incidents involving Gen 7 SonicWall firewalls that use the secure sockets layer (SSL) protocol.
“We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible,” the company said.
SonicWall said it is working with researchers, updating customers and will release updated firmware if a new vulnerability is found.
The company echoed the advice of several security firms, telling customers to disable SonicWall VPN services that use the SSL protocol.
At least 20 incidents
Arctic Wolf said on Friday that it has seen multiple intrusions within a short period of time and all of them involved access through SonicWall SSL VPNs.
“While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability,” the company said. None of the incident response companies have specified what that bug might be.
“In some instances, fully patched SonicWall devices were affected following credential rotation,” Arctic Wolf said, referring to the process of regularly resetting logins or other access.
The researchers added that the ransomware activity involving SonicWall VPNs began around July 15.
When pressed on whether any recent known SonicWall vulnerabilities are to blame for the attacks, an Arctic Wolf spokesperson said the researchers have “seen fully patched devices affected in this campaign, leading us to believe that this is tied to a net new zero day vulnerability.”
Arctic Wolf said in its advisory that given the high likelihood of such a bug, organizations “should consider disabling the SonicWall SSL VPN service until a patch is made available and deployed.”
Over the weekend, Arctic Wolf’s assessment was backed up by incident responders at Huntress, who confirmed several incidents involving the SonicWall SSL VPN.
A Huntress official said they have seen around 20 attacks since July 25 and many of the incidents include the abuse of privileged accounts, lateral movement, credential theft and ransomware deployment.
“This is happening at a pace that suggests exploitation, possibly a zero day exploit in Sonicwall. Threat actors have gained control of accounts that even have MFA deployed,” the official said.
He confirmed that the incidents Huntress examined also involved Akira ransomware.
'This isn't isolated'
Huntress released a lengthy threat advisory on Monday warning of a “likely zero-day vulnerability in SonicWall VPNs” that was being used to facilitate ransomware attacks. Like Arctic Wolf, they urged customers to disable the VPN service immediately.
“Over the last few days, the Huntress Security Operations Center (SOC) has been responding to a wave of high-severity incidents originating from SonicWall Secure Mobile Access (SMA) and firewall appliances,” Huntress explained.
“This isn't isolated; we're seeing this alongside our peers at Arctic Wolf, Sophos, and other security firms. The speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild.”
SonicWall devices are frequent targets for hackers because the types of appliances the company produces serve as gateways for secure remote access.
Just two weeks ago, Google warned of a campaign targeting end-of-life SonicWall SMA 100 series appliances through a bug tracked as CVE-2024-38475.
techcrunch.com - Google’s AI-powered bug hunter has just reported its first batch of security vulnerabilities.
Heather Adkins, Google’s vice president of security, announced Monday that its LLM-based vulnerability researcher Big Sleep found and reported 20 flaws in various popular open source software.
Adkins said that Big Sleep, which is developed by the company’s AI department DeepMind as well as its elite team of hackers Project Zero, reported its first-ever vulnerabilities, mostly in open source software such as audio and video library FFmpeg and image-editing suite ImageMagick.
Given that the vulnerabilities are not fixed yet, we don’t have details of their impact or severity, as Google does not yet want to provide details, which is a standard policy when waiting for bugs to be fixed. But the simple fact that Big Sleep found these vulnerabilities is significant, as it shows these tools are starting to get real results, even if there was a human involved in this case.
“To ensure high quality and actionable reports, we have a human expert in the loop before reporting, but each vulnerability was found and reproduced by the AI agent without human intervention,” Google’s spokesperson Kimberly Samra told TechCrunch.
Royal Hansen, Google’s vice president of engineering, wrote on X that the findings demonstrate “a new frontier in automated vulnerability discovery.”
LLM-powered tools that can look for and find vulnerabilities are already a reality. Other than Big Sleep, there’s RunSybil and XBOW, among others.
Perplexity is repeatedly modifying their user agent and changing IPs and ASNs to hide their crawling activity, in direct conflict with explicit no-crawl preferences expressed by websites.
Les arnaques avec un faux SMS annonçant une contravention à régler ont fait de nombreuses victimes ces derniers mois. A l’image d’une retraitée, qui a perdu 3000 francs dans l’affaire, comme le relate la «Tribune de Genève» lundi. Le message provenant de sites frauduleux, comme «amendes.ch», «parkings-vd.com» ou «parkings-ge.com», annonce au destinataire qu’il doit s’acquitter de 40 francs et l’invite à cliquer sur un lien. Il s’agit en réalité d’un hameçonnage permettant aux malfrats d’accéder aux données bancaires des victimes.
Plus de 220 personnes ont annoncé avoir fait les frais de cette arnaque à Genève et dans le canton de Vaud, rapporte le quotidien genevois. Le coût total des dommages s’élève à 3,6 millions de francs. Pour éviter la fraude, avait indiqué la police vaudoise notamment, il est recommandé de ne jamais cliquer sur les liens proposés, de bloquer le correspondant et de supprimer le messager.
computerweekly.com - The Austrian government is likely to face legal challenges after it succeeded on its fifth attempt to pass a law this month giving the country’s intelligence service legal powers to deploy spyware on phones and computers. Civil society groups are holding discussions with MPs on far-right Freedom Party (FPO) and the Greens, both of which voted against the new surveillance measures, regarding a legal challenge to Austria’s constitutional court.
Austria’s lower house passed the law on 9 July 2025, giving the Austrian intelligence service – the Directorate of State Protection and Intelligence (DSN) – the capability to deploy spyware, known as “a state trojan”, to monitor encrypted communications on services such as WhatsApp and Signal.
The three coalition governing parties, ÖVP, SPÖ and NEOS, agreed to changes to the State Protection and Intelligence Service Act (SNG), the Telecommunications Act 2021, the Security Police Act (SPG) and other laws to allow the state to spy on encrypted messages and gather other data stored on electronic devices.
The coalition government, headed by chancellor Christian Stocker, argued that Austria should have a legal framework to enable it to monitor encrypted messaging services in line with countries such as the UK and the US.
Austrian politicians pressed the case after a tip-off from the US Central Intelligence Agency (CIA) warning of an impending attack at a Taylor Swift concert, part of the Eras Tour, in August 2024 led to the cancellation of three concerts in the country. US intelligence reportedly identified that one of the suspects pledged to ISIS-K on the Telegram messaging app.
Former chancellor Karl Nehammer also cited Austria’s biggest spying scandal, the Egisto Ott affair, as a reason for the DSN to be given more tools to act against foreign intelligence services, including the ability to intercept encrypted messaging services.
The new law has been criticised by civil society groups and some technology companies, which argue that the introduction of a “state trojan” will undermine internet security for Austrian citizens.
In July, 50 civil society groups from 16 countries wrote an open letter to MPs and the Austrian National Council, warning that the move to increase state surveillance would be a historic step backwards for IT security.
The civil society groups said the draft law was based on a “legal fiction” that would mean that, rather than protecting the population from cyber security risks, the state would instead promote and maintain security vulnerabilities, which will inevitably be discovered and exploited by hackers and hostile nation-states.
They point to the WannaCry ransomware attacks, which exploited a security vulnerability developed by the US National Security Agency (NSA) to infiltrate computer systems, causing severe disruption of hospitals, trains and mobile phone networks in 2017.
Thomas Lohninger, executive director of digital rights organisation Epicenter.Works, told Computer Weekly, that his organisation will “try everything” to challenge the new law in Austria’s constitutional court. This includes bringing a constitutional challenge from the opposition Green Party and far right FPÖ MPs before the law is enacted – a move that requires support from a third of MPs.
venturebeat.com - OpenAI abruptly removed a ChatGPT feature that made conversations searchable on Google, sparking privacy concerns and industry-wide scrutiny of AI data handling.
OpenAI made a rare about-face Thursday, abruptly discontinuing a feature that allowed ChatGPT users to make their conversations discoverable through Google and other search engines. The decision came within hours of widespread social media criticism and represents a striking example of how quickly privacy concerns can derail even well-intentioned AI experiments.
The feature, which OpenAI described as a “short-lived experiment,” required users to actively opt in by sharing a chat and then checking a box to make it searchable. Yet the rapid reversal underscores a fundamental challenge facing AI companies: balancing the potential benefits of shared knowledge with the very real risks of unintended data exposure.
How thousands of private ChatGPT conversations became Google search results
The controversy erupted when users discovered they could search Google using the query “site:chatgpt.com/share” to find thousands of strangers’ conversations with the AI assistant. What emerged painted an intimate portrait of how people interact with artificial intelligence — from mundane requests for bathroom renovation advice to deeply personal health questions and professionally sensitive resume rewrites. (Given the personal nature of these conversations, which often contained users’ names, locations, and private circumstances, VentureBeat is not linking to or detailing specific exchanges.)
“Ultimately we think this feature introduced too many opportunities for folks to accidentally share things they didn’t intend to,” OpenAI’s security team explained on X, acknowledging that the guardrails weren’t sufficient to prevent misuse.
scworld.com 04.08 - Aeroflot, Russia's flag carrier, had travel information purportedly from its CEO Sergei Aleksandrovsky leaked by Belarusian hacktivist operation Cyber Partisans after Russian internet watchdog Roskomnadzor refuted any data breach resulting from last week's massive cyberattack that has prompted the cancellation of more than 50 flights, reports The Record, a news site by cybersecurity firm Recorded Future.
Included in the exposed data were information from over 30 flights taken by Aleksandrovsky from April 2024 to June 2025, claimed Cyber Partisans, which threatened the imminent reveal of more stolen data following the theft of Aeroflot's entire flight history database. Cyber Partisans noted that the extensive data compromise was made possible by weak employee credentials and the airline's use of outdated Windows versions. While the legitimacy of the data has not yet been confirmed, it contained Aleksandrovsky's passport number that matched those found in older breaches, according to investigative news outlet The Insider.
tomshardware.com - A leading mobile device insurance and service network has initiated insolvency proceedings in the wake of a cyberattack. Selling properties and cutting staff numbers wasn't enough to save the business.
The Einhaus Group was once a familiar name, with its services available through 5,000 retail outlets in Germany and an annual revenue of around 70 million Euros.
A leading mobile device insurance and service network has initiated insolvency proceedings in the wake of a cyberattack. Germany’s Einhaus Group was targeted by hackers in March 2023 and is understood to have paid a ransom(ware) fee of around $230,000 at the time, according to Wa.de and Golem.de (machine translations). However, the once large and successful company, with partnerships including Cyberport, 1&1, and Deutsche Telekom, struggled to recover from the service interruption and the obvious financial strains, which now appear to be fatal.
The ides of March
In mid-March 2023, Wilhelm Einhaus, founder of the Einhaus Group, recalls coming into the office in the morning to witness a ‘horrific’ greeting. On the output tray of every printer in the office was a page announcing, “We've hacked you. All further information can be found on the dark web.” Further investigations revealed that the hack group 'Royal' was the culprit. They had encrypted all of Einhaus Group’s systems, which were essential for the day-to-day running of the business. 'Royal' demanded a ransom payment, thought to be around $230,000 in Bitcoins, to return access to the computers.
Of course, with operational systems down, there was an immediate impact on Einhaus. The police were involved promptly. However, the affected firm seems to have decided to pay the ransom, as it could see business losses/damages piling up – meaning continuing without the computer systems was untenable. Einhaus estimated that the hacker-inflicted damage to its business was in the mid-seven-figure range.
nltimes.nl - Several major government institutions across the Caribbean part of the Kingdom of the Netherlands were hit by cyberattacks last week, including a ransomware attack on Curaçao’s Tax and Customs Administration that temporarily disabled critical services, NOS reports.
According to Curaçao’s Minister of Finance, ransomware was used in the attack on the tax authority. After the breach was discovered by staff, one of the agency’s systems was taken offline as a precaution. An investigation into the origin and impact of the attack is ongoing. The Ministry of Finance stated that no confidential information was compromised.
Despite the breach, the online platform for filing and paying taxes remained operational. However, both the telephone customer service and in-person assistance were unavailable for several days. All services were restored by Monday, the ministry confirmed.
Meanwhile, the Court of Justice — which operates across all six Caribbean islands of the Kingdom — was also affected by a cyber incident. A virus was detected in the court’s IT system, prompting officials to shut down the entire computer network out of caution. Several court cases scheduled for last week were postponed, although most hearings continued as planned. Restoration efforts are still underway.
In Aruba, hackers also gained unauthorized access to official email accounts belonging to members of parliament. The extent of the breach and potential consequences remain unclear.
In response to the string of incidents, authorities on Sint-Maarten issued a public alert urging businesses and institutions on the islands to increase their cybersecurity vigilance.
The wave of cyberattacks follows a separate hacking incident in the Netherlands just two weeks ago, when the national Public Prosecution Service (Openbaar Ministerie) disconnected all its systems from the internet after detecting a breach. The disruption continues to have major consequences. Defense attorneys have reported significant difficulty accessing essential information, hindering their ability to represent clients.
france24.com - Chinese authorities summoned Nvidia representatives on Thursday to discuss "serious security issues" over some of its artificial intelligence chips, as the US tech giant finds itself entangled in trade tensions between Beijing and Washington.
Nvidia is a world-leading producer of AI semiconductors, but the United States effectively restricts which chips it can export to China on national security grounds.
A key issue has been Chinese access to the "H20", a less powerful version of Nvidia's AI processing units that the company developed specifically for export to China.
The California-based firm said this month it would resume H20 sales to China after Washington pledged to remove licensing curbs that had halted exports.
But the firm still faces obstacles -- US lawmakers have proposed plans to require Nvidia and other manufacturers of advanced AI chips to include built-in location tracking capabilities.
And Beijing's top internet regulator said Thursday it had summoned Nvidia representatives to discuss recently discovered "serious security issues" involving the H20.
The Cyberspace Administration of China said it had asked Nvidia to "explain the security risks of vulnerabilities and backdoors in its H20 chips sold to China and submit relevant supporting materials".
The statement posted on social media noted that, according to US experts, location tracking and remote shutdown technologies for Nvidia chips "are already matured".
The announcement marked the latest complication for Nvidia in selling its advanced products in the key Chinese market, where it is in increasingly fierce competition with homegrown technology firms.
Nvidia committed
CEO Jensen Huang said during a closely watched visit to Beijing this month that his firm remained committed to serving local customers.
Huang said he had been assured during talks with top Chinese officials during the trip that the country was "open and stable".
"They want to know that Nvidia continues to invest here, that we are still doing our best to serve the market here," he said.
Nvidia this month became the first company to hit $4 trillion in market value -- a new milestone in Wall Street's bet that AI will transform the global economy.
Jost Wubbeke of the Sinolytics consultancy told AFP the move by China to summon Nvidia was "not surprising in the sense that targeting individual US companies has become a common tool in the context of US-China tensions".
"What is surprising, however, is the timing," he noted, after the two countries agreed to further talks to extend their trade truce.
"China's action may signal a shift toward a more assertive stance," Wubbeke said.
Beijing is also aiming to reduce reliance on foreign tech by promoting Huawei's domestically developed 910C chip as an alternative to the H20, he added.
"From that perspective, the US decision to allow renewed exports of the H20 to China could be seen as counterproductive, as it might tempt Chinese hyperscalers to revert to the H20, potentially undermining momentum behind the 910C and other domestic alternatives."
New hurdles to Nvidia's operation in China come as the country's economy wavers, beset by a years-long property sector crisis and heightened trade headwinds under US President Donald Trump.
Chinese President Xi Jinping has called for the country to enhance self-reliance in certain areas deemed vital for national security -- including AI and semiconductors -- as tensions with Washington mount.
The country's firms have made great strides in recent years, with Huang praising their "super-fast" innovation during his visit to Beijing this month.
therecord.media 04.08 - Researchers have discovered more than 10 patents for powerful offensive cybersecurity technologies filed by a prominent Chinese company allegedly involved in Beijing’s Silk Typhoon campaign.
Researchers have discovered more than 10 patents for powerful offensive cybersecurity technologies filed by a prominent Chinese company allegedly involved in Beijing’s Silk Typhoon campaign.
SentinelOne's threat researchers pored through recent Justice Department indictments of prominent Chinese hackers and mapped out the country’s evolving web of private companies that are hired to launch cyberattacks on behalf of the government.
The report focuses on intellectual property rights filings by Shanghai Firetech, a company the DOJ said works on behalf of the Shanghai State Security Bureau (SSSB). The company was allegedly involved in many of the Silk Typhoon attacks and was previously identified as part of the Hafnium attacks seen in 2021.
The researchers found previously unseen patents on offensive technologies tied to Shanghai Firetech, SentinelLabs expert Dakota Cary told Recorded Future News.
The findings suggest the company “serves other offensive missions not tied to the Hafnium cluster,” he said.
“The company also has patents on a variety of offensive tools that suggest the capability to monitor individual's homes, like ‘intelligent home appliances analysis platform,’ ‘long-range household computer network intelligentized control software,’ and ‘intelligent home appliances evidence collection software’ which could support surveillance of individuals abroad.”
Cary noted that intelligence agencies like the CIA are known to use similar tools.
Shanghai Firetech also filed patents for software for “remote” evidence collection, and for targeting routers and Apple devices, among other uses.
The patent for Apple computers stood out to the researchers because it allows actors to remotely recover files from devices and was not previously documented as a capability of any Hafnium-related threat actor.
SentinelLabs said the technologies “offer strong, often previously unreported offensive capabilities, from acquisition of encrypted endpoint data, mobile forensics, to collecting traffic from network devices.”
The Justice Department indicted two prominent hackers this month — Xu Zewei and Zhang Yu — that are accused of working with China’s Ministry of State Security (MSS) and its Shanghai bureau. The indictments said Xu and Zhang worked for two firms previously unattributed in the public domain to the Hafnium/Silk Typhoon group.
Xu was arrested after flying into Milan on July 3, and prosecutors accused both men of being deeply involved in China’s cyberattacks on institutions working on COVID-19 vaccines throughout 2020 and 2021. The DOJ obtained emails from Xu to the Shanghai security bureau confirming he had acquired the contents of the COVID-19 researchers’ mailboxes.
nytimes.com 04.08 - The introduction of a state-approved messaging app has raised fears that Russia could be preparing to block WhatsApp and Telegram.
Russia is escalating its efforts to curtail online freedom, taking new steps toward a draconian state-controlled internet.
The authorities are cracking down on workarounds that Russians have been using for access to foreign apps and banned content, including through new laws signed by President Vladimir V. Putin this past week. Moscow has also been impeding the function of services from U.S. tech companies, like YouTube, that Russians have used for years.
At the same time, the Kremlin is building out a domestic ecosystem of easily monitored and censored Russian alternatives to Western tech products. That includes a new state-approved messaging service, MAX, which will come preinstalled by law on all new smartphones sold in Russia starting next month.
The idea, experts say, is to migrate more Russians from an open internet dominated by the products of Western tech giants to a censored online ecosystem, where Russians primarily use software under the gaze and influence of the state. The effort has advanced significantly amid wartime repression, but it is unclear how far it will go.
“The goal here is absolute control,” said Anastasiia Kruope, a researcher at Human Rights Watch who wrote a recent report on declining Russian internet freedoms.
The Kremlin wants to control not only the information available online but also where and how internet traffic flows, Ms. Kruope said, so the Russian internet can function in isolation and be switched on and off at will. Russia’s technical capabilities for clamping down are improving, she added.
“They are not perfect,” Ms. Kruope said. “They are not nearly at the level they would like them to be. But they are getting better, and this is the reason to start paying attention.”“The goal here is absolute control,” said Anastasiia Kruope, a researcher at Human Rights Watch who wrote a recent report on declining Russian internet freedoms.
The Kremlin wants to control not only the information available online but also where and how internet traffic flows, Ms. Kruope said, so the Russian internet can function in isolation and be switched on and off at will. Russia’s technical capabilities for clamping down are improving, she added.
“They are not perfect,” Ms. Kruope said. “They are not nearly at the level they would like them to be. But they are getting better, and this is the reason to start paying attention.”
blog.pypi.org - - The Python Package Index Blog - PyPI Users are receiving emails detailing them to log in to a fake PyPI site.
PyPI has not been hacked, but users are being targeted by a phishing attack that attempts to trick them into logging in to a fake PyPI site.
Over the past few days, users who have published projects on PyPI with their email in package metadata may have received an email titled:
[PyPI] Email verification
from the email address noreply@pypj.org.
Note the lowercase j in the domain name, which is not the official PyPI domain, pypi.org.
This is not a security breach of PyPI itself, but rather a phishing attempt that exploits the trust users have in PyPI.
The email instructs users to follow a link to verify their email address, which leads to a phishing site that looks like PyPI but is not the official site.
The user is prompted to log in, and the requests are passed back to PyPI, which may lead to the user believing they have logged in to PyPI, but in reality, they have provided their credentials to the phishing site.
PyPI Admins are looking into a few methods of handling this attack, and want to make sure users are aware of the phishing attempt while we investigate different options.
There is currently a banner on the PyPI homepage to warn users about this phishing attempt.
Always inspect the URL in the browser before logging in.
We are also waiting for CDN providers and name registrars to respond to the trademark and abuse notifications we have sent them regarding the phishing site.
If you have received this email, do not click on any links or provide any information. Instead, delete the email immediately.
If you have already clicked on the link and provided your credentials, we recommend changing your password on PyPI immediately. Inspect your account's Security History for anything unexpected.
reuters.com - July 30 (Reuters) - More than 90 state and local governments have been targeted using the recently revealed vulnerability in Microsoft server software, according to a U.S. group devoted to helping local authorities collaborate against hacking threats.
The nonprofit Center for Internet Security, which houses an information-sharing group for state, local, tribal, and territorial government entities, provided no further details about the targets, but said it did not have evidence that the hackers had broken through.
None have resulted in confirmed security incidents," Randy Rose, the center's vice president of security operations and intelligence, said in an email.
A wave of hacks hit servers running vulnerable versions of Microsoft SharePoint this month, causing widespread concern. The campaign has claimed at least 400 victims, according to Netherlands-based cybersecurity firm Eye Security. Multiple federal government agencies are reportedly among the victims, and new ones are being identified every day.
On Wednesday, a spokesperson for one of the U.S. Department of Energy's 17 national labs said it was among those hit.
"Attackers did attempt to access Fermilab's SharePoint servers," the spokesperson said, referring to the U.S. Fermi National Accelerator Laboratory. "The attackers were quickly identified, and the impact was minimal, with no sensitive or classified data accessed." The Fermilab incident was first reported by Bloomberg.
The U.S. Department of Energy has previously said the SharePoint security hack has affected "a very small number" of its systems
channelnewsasia.com - The decision to identify cyber threat group UNC3886 was because Singaporeans “ought to know about it” given the seriousness of the threat, said the minister.
SINGAPORE: While naming a specific country linked to cyber threat group UNC3886 is not in Singapore’s interest at this point in time, the attack was still serious enough for the government to let the public know about the group, said Coordinating Minister for National Security and Minister for Home Affairs K Shanmugam on Friday (Aug 1).
Speaking to reporters on the side of the Cyber Security Agency of Singapore’s (CSA) Exercise Cyber Star, the national cybersecurity crisis management exercise, Mr Shanmugam said that when it comes to naming any country responsible for a cyber attack, “we always think about it very carefully”.
Responding to a question from CNA on reports tying the group to China, Mr Shanmugam said: “Media coverage (and) industry experts all attribute UNC3886 to some country … Government does not comment on this.
“We release information that we assess is in the public interest. Naming a specific country is not in our interest at this point in time.”
UNC3886 has been described by Google-owned cybersecurity firm Mandiant as a "China-nexus espionage group" that has targeted prominent strategic organisations on a global scale.
Mr Shanmugam had announced on Jul 18 that Singapore is actively dealing with a "highly sophisticated threat actor" that is attacking critical infrastructure, identifying the entity as UNC3886 without disclosing if it was a state-linked actor.
He said the threat actor poses a serious danger to Singapore and could undermine the country's national security, and added that it was not in Singapore's security interests to disclose further details of the attack then.
When asked the following day about UNC3886's alleged links to China and possible retaliation for naming them, Mr Shanmugam, who is also Home Affairs Minister, said this was "speculative".
"Who they are linked to and how they operate is not something I want to go into," he said.
Responding to media reports in a Jul 19 Facebook post, the Chinese embassy in Singapore expressed its "strong dissatisfaction" at the claims linking the country to UNC3886, stating that they were "groundless smears and accusations against China".
“In fact, China is a major victim of cyberattacks," it wrote.
"The embassy would like to reiterate that China is firmly against and cracks down (on) all forms of cyberattacks in accordance with law. China does not encourage, support or condone hacking activities."
On Friday, Mr Shanmugam also gave his reasons for disclosing the identity of threat actors like UNC3886.
“We look at the facts of each case (and) the degree of confidence we have before we can name. And when we decide to name the threat actor, we look at whether it is in Singapore's best interest,” said Mr Shanmugam, who is also the home affairs minister.
In this case, the threat, attack and compromise to Singapore’s infrastructure was “serious enough” and the government was confident enough to name UNC3886 as the perpetrators, he said.
“Here, we said this is serious. They have gotten in. They are compromising a very serious critical infrastructure. Singaporeans ought to know about it, and awareness has got to increase. And because of the seriousness, it is in the public interest for us to disclose,” said Mr Shanmugam.
therecord.media (01.08.2025) - Authorities in Luxembourg said a nationwide telecommunications outage in July was caused by a deliberately disruptive cyberattack. Huawei networking products were reportedly the target.
Luxembourg’s government announced on Thursday it was formally investigating a nationwide telecommunications outage caused last week by a cyberattack reportedly targeting Huawei equipment inside its national telecoms infrastructure.
The outage on July 23 left the country’s 4G and 5G mobile networks unavailable for more than three hours. Officials are concerned that large parts of the population were unable to call the emergency services as the fallback 2G system became overloaded. Internet access and electronic banking services were also inaccessible.
According to government statements issued to the country’s parliament, the attack was intentionally disruptive rather than an attempt to compromise the telecoms network that accidentally led to a system failure.
Officials said the attackers exploited a vulnerability in a “standardised software component” used by POST Luxembourg, the state-owned enterprise that operates most of the country’s telecommunications infrastructure. The government’s national alert system, which officials had intended to use to warn the population about the incident, failed to reach many people because it also depends on POST’s mobile network.
POST’s director-general described the attack itself as “exceptionally advanced and sophisticated,” but stressed it did not compromise or access internal systems and data. POST itself and the national CSIRT are currently forensically investigating the cause of the outage.
Although the government’s statements avoid naming the affected supplier, Luxembourg magazine Paperjam reported the attack targeted software used in Huawei routers. Paperjam added that the country’s critical infrastructure regulator is currently asking any organisations using Huawei enterprise routers to contact the CSIRT.
Remote denial-of-service vulnerabilities have previously been identified in the VRP network operating system used in Huawei’s enterprise networking products, although none have recently been publicly identified. Huawei’s press office did not respond to a request for comment.
The Luxembourg government convened a special crisis cell within the High Commission for National Protection (HCPN) to handle the response to the incident and to investigate its causes and impacts, alongside the CSIRT and public prosecutor.
The CSIRT’s full forensic investigation is intended to confirm how the attack happened, while the public prosecutor will assess whether a crime has taken place and if a perpetrator can be identified and prosecuted.
The incident has also accelerated Luxembourg’s national resilience review, a process already underway before the attack. Authorities, concerned that a single point of failure had such a dramatic disruptive effect, are now reassessing the robustness of critical infrastructure, including fallback procedures for telecom and emergency services.
Luxembourg is also exploring regulatory changes to allow mobile phones to automatically switch to other operators’ networks during telecom outages, a practice already used in countries like the United Kingdom, Germany and the United States for emergency calls.
techcrunch.com 24.07 - "We're getting a lot of stuff that looks like gold, but it's actually just crap,” said the founder of one security testing firm. AI-generated security vulnerability reports are already having an effect on bug hunting, for better and worse.
So-called AI slop, meaning LLM-generated low-quality images, videos, and text, has taken over the internet in the last couple of years, polluting websites, social media platforms, at least one newspaper, and even real-world events.
The world of cybersecurity is not immune to this problem, either. In the last year, people across the cybersecurity industry have raised concerns about AI slop bug bounty reports, meaning reports that claim to have found vulnerabilities that do not actually exist, because they were created with a large language model that simply made up the vulnerability, and then packaged it into a professional-looking writeup.
“People are receiving reports that sound reasonable, they look technically correct. And then you end up digging into them, trying to figure out, ‘oh no, where is this vulnerability?’,” Vlad Ionescu, the co-founder and CTO of RunSybil, a startup that develops AI-powered bug hunters, told TechCrunch.
“It turns out it was just a hallucination all along. The technical details were just made up by the LLM,” said Ionescu.
Ionescu, who used to work at Meta’s red team tasked with hacking the company from the inside, explained that one of the issues is that LLMs are designed to be helpful and give positive responses. “If you ask it for a report, it’s going to give you a report. And then people will copy and paste these into the bug bounty platforms and overwhelm the platforms themselves, overwhelm the customers, and you get into this frustrating situation,” said Ionescu.
“That’s the problem people are running into, is we’re getting a lot of stuff that looks like gold, but it’s actually just crap,” said Ionescu.
Just in the last year, there have been real-world examples of this. Harry Sintonen, a security researcher, revealed that the open source security project Curl received a fake report. “The attacker miscalculated badly,” Sintonen wrote in a post on Mastodon. “Curl can smell AI slop from miles away.”
In response to Sintonen’s post, Benjamin Piouffle of Open Collective, a tech platform for nonprofits, said that they have the same problem: that their inbox is “flooded with AI garbage.”
One open source developer, who maintains the CycloneDX project on GitHub, pulled their bug bounty down entirely earlier this year after receiving “almost entirely AI slop reports.”
The leading bug bounty platforms, which essentially work as intermediaries between bug bounty hackers and companies who are willing to pay and reward them for finding flaws in their products and software, are also seeing a spike in AI-generated reports, TechCrunch has learned.
