Good Morning Security Gang
It’s the second-to-last episode of the year and what a year it’s been. I keep saying it: 2025 has flown by faster than any year I can remember.
Today’s lineup is loaded — we’re talking Condé Nast’s 40 million record breach, a $7 million crypto heist from Trust Wallet, ransomware fallout still rippling across U.S. banks, Korean Air joining the Oracle EBS breach list, and a Coinbase insider getting arrested. We’ll also touch on Mustang Panda’s kernel-mode rootkit, the EM Editor supply chain compromise, Microsoft Copilot misconfigurations, a Lithuanian hacker extradited to Korea, and, of course, France being France with another privacy fine.
So, grab that Lavazza espresso — mine’s the original Nespresso pod, none of that new stuff — coffee cup cheers, y’all! Let’s power through.
Condé Nast Breach: 40 Million Records Claimed Stolen
Just a day after the Wired leak that exposed 2.3 million users, a hacker calling themselves “Lovely” is claiming to have stolen 40 million Condé Nast records, including Wired user data. While this isn’t catastrophic on its own, the risk here is credential stuffing and ad platform hijacks.
As I said on the show:
“When I was in banking, this kind of leak would trigger an instant cross-check with our customer base. If we found overlap, we’d reset passwords and notify clients immediately. That’s how you turn a breach into a business resilience story.”
For CISOs:
Cross-reference breach data with your user base.
Force password resets where overlap exists.
Monitor for account takeovers and advertising fraud.
Block reused passwords and enforce MFA, ideally FIDO2 phishing-resistant authentication.
Trust Wallet $7M Theft Hits 2,596 Wallets
Trust Wallet confirmed that $7 million was drained from 2,596 wallets after version 2.68.0 of its Chrome extension was compromised. The malicious version bypassed their internal checks through a Chrome Web Store API key exploit, suggesting a targeted software supply chain compromise.
Funds were stolen via malicious signing prompts and seed phrase theft — classic crypto theft patterns. Some stolen assets were frozen, but the majority have already been laundered through decentralized exchanges.
As I said: “If your seed phrase security depends on Chrome, you’re not securing assets — you’re gambling.”
Trust Wallet, owned by Binance, is urging users to reinstall the latest version and revoke all prior extension permissions.
U.S. Banks Hit by Marquis Ransomware Vendor Fallout
The Marquis ransomware attack continues to hammer downstream victims — this time Artisans Bank and VeraBank. Both institutions confirmed their customer analytics and communications vendor was breached, exposing names, SSNs, loan records, and account details.
Artisans Bank said 32,344 individuals were directly affected; VeraBank didn’t disclose numbers. Overall impact is estimated between 788,000 and 1.3 million victims.
If you’re in banking, this breach should be a war-room level response:
Reissue debit cards.
Rehash passwords and reset keys.
Review pending transactions and increase fraud monitoring.
Tighten UEBA and customer behavior analytics.
This incident shows how one compromised vendor can ripple through the financial sector.
Korean Air Confirms Employee Data Compromised in Oracle EBS Breach
Korean Air has now joined the Oracle E-Business Suite (EBS) breach fallout, confirming that 30,000 employee records were exposed. The intrusion leveraged overprivileged service accounts and reporting jobs, part of a long chain of Oracle EBS exploitation that has affected dozens of global enterprises.
This breach’s risk profile is particularly sensitive: flight attendants and pilots are now targets for identity fraud and payroll scams, given their frequent travel.
If you’re managing employee data, segment HR systems from finance and travel apps — and monitor for payroll reroute attempts.
Coinbase Insider Arrested in India
An insider case straight out of a thriller — a Coinbase customer support agent in Hyderabad, India was arrested for helping cybercriminals steal customer information.
The agent reportedly assisted attackers by exporting internal records and metadata tied to customer wallets. Coinbase had flagged this in May, and now the perpetrator is in custody.
This underscores the insider threat problem in outsourced support centers. As I said:
“We’re not dealing with bad people — we’re dealing with people underpaid, overworked, and easily manipulated. The new insider threat isn’t espionage — it’s desperation.”
Companies must strengthen insider risk programs, incentivize ethical reporting, and educate workers on how to report bribery or coercion attempts safely.
Lithuanian Hacker Extradited for KMS Malware
A Lithuanian national has been extradited from Georgia to South Korea for operating the KMSAuto malware, which infected 2.8 million systems and stole crypto wallet credentials.
This marks another Interpol success story, proving how international collaboration can track down long-running cybercriminals. KMSAuto masqueraded as a Windows activator, then executed clipboard hijacks to reroute cryptocurrency transactions.
SOC teams should block PUP and activator categories in proxies, and hunt for KMSAuto registry artifacts.
EM Editor Supply Chain Attack Targets DevOps
A new supply chain compromise has been discovered targeting EM Editor, a widely used developer text editor. Attackers abused its signed update channel to deliver infostealer malware into developer environments.
If your organization uses EM Editor:
Restrict update mechanisms to allowlisted URLs.
Run secret scanning and rotate cloud tokens for impacted DevOps boxes.
Perform code-signing reputation checks in EDR tools.
Mustang Panda Deploys Kernel-Mode Rootkit
China-linked Mustang Panda is using a new kernel-mode rootkit to evade EDR detection and persist on high-value systems. The malware targets government and NGO networks across Southeast Asia and Europe, abusing unsigned kernel drivers to hide command execution.
To mitigate:
Enforce driver signing policies.
Monitor for unusual kernel driver loads.
Isolate high-risk users such as diplomats or policy analysts.
Microsoft Copilot Misconfigurations Lead to Data Exposure
Attackers are exploiting misconfigured Microsoft Copilot Studio “connected agents”, allowing prompt injection and SaaS data exfiltration through over-trusted connectors. Each connector must be treated as a production environment — scope access tightly, use short-lived tokens, and enable egress logging.
France Fines Company €1.7M for Privacy Failures
And finally — France doing what France does best: fining companies after breaches. Regulators fined NextPublica €1.7 million for failing to fix known vulnerabilities before a major breach.
The fine underscores how GDPR liability doesn’t end with disclosure — regulators now assess the maturity of your security program at the time of the breach.
Action List
🔑 Cross-match Condé Nast and Wired breach data with internal users.
🪙 Revoke Trust Wallet extension permissions and educate users on seed safety.
🏦 Audit vendor access pipelines for financial services platforms.
🧱 Patch Oracle EBS systems and rotate overprivileged service accounts.
🕵️♂️ Implement insider risk reporting channels for global support teams.
🧑💻 Harden DevOps update mechanisms and enable secret scanning.
🐼 Monitor for unsigned kernel drivers linked to Mustang Panda.
🤖 Treat Copilot connectors as production assets with least privilege.
🇫🇷 Review GDPR posture — “known vulnerability” now equals “negligence.”
James Azar’s CISO’s Take
Today’s show is a snapshot of the 2025 cybersecurity landscape in one episode — insider risk, supply chain, vendor compromise, and data fatigue all converging. The Condé Nast breach reminds us that every user database becomes a weapon when reused passwords are involved, while the Coinbase arrest highlights how easily human trust can be exploited.
My biggest takeaway? 2026 will be the year of accountability. Vendors, insiders, and even regulators are forcing security leaders to prove maturity, not just intention. Our job as CISOs is no longer to defend quietly — it’s to demonstrate openly that our programs work. Transparency, empathy, and automation are the new triad of resilience.
Stay alert, stay caffeinated, and as always — stay cyber safe.
