This Week in Cybersecurity #40
Dating Apps Breach Millions, China Hacks Notepad++, Poland's Grid Devices Bricked, $158B in Illicit Crypto, CISA Issues Triple Alert, and Healthcare Under Siege
Good morning, Security Gang!
This week proved attackers weaponize the tools and vendors we trust most and operational resilience, not prevention, now determines survival. Bumble and Match platforms breached millions (Tinder, OkCupid, Hinge) exposing profile data and message metadata, China executed a supply chain attack on Notepad++ pushing trojanized updates through compromised hosting, and Russia bricked ICS devices at 30 Polish energy sites in operational warfare designed for destruction not espionage.
Meanwhile, CISA issued three separate exploit alerts in a single day the first time ever for SolarWinds Web Help Desk RCE, VMware ESXi ransomware zero-day, and GitLab legacy SSRF with 49,000 exposed instances. Add $158 billion in illicit crypto flows (145% surge), Step Finance losing $40M after executive device compromise, Johnson Controls CVSS 10/10 vulnerability putting smart buildings at risk, 341 malicious npm/PyPI packages poisoning developer ecosystems, Lakeland Public Health systems offline disrupting patient care, Harvard and UPenn alumni data leaked, Russia’s APT28 exploiting Microsoft zero-days within 24 hours, and the White House unveiling industry-collaborative cyber strategy and you have a week proving we’re only as resilient as our weakest integration, and the biggest breach risk isn’t outside the firewall but the person who already has the keys.
Let’s break it down, coffee ready, Security Gang, because trust has become the weapon.
💔 CONSUMER & DATING APP BREACHES
Bumble and Match Confirm Data Breaches Impacting Millions
Both Bumble and Match Group platforms—which include Tinder, OkCupid, and Hinge—reported data breaches potentially impacting tens of millions of users worldwide. Leaked data includes profile information, contact details, and metadata from private messages.
The breach introduces serious risks of targeted harassment, extortion, and credential reuse especially for corporate employees who reuse personal credentials across work systems.
James emphasized: “When personal and professional overlap, breaches like this become business risk, not gossip fodder.”
CISOs Should:
Coordinate with HR to issue company-wide credential hygiene resets
Require password refreshes for anyone reusing personal logins
Deploy credential-stuffing detection in corporate SSO
Panera Bread Confirms 5.1 Million Accounts Exposed
After weeks of speculation, Panera Bread expanded its data breach disclosure to 5.1 million customers. Exposed data includes names, contact information, loyalty card details, and purchase histories all of which can be used in phishing and brand impersonation attacks.
James noted: “Even executives order Panera — this breach hits inboxes we can’t afford to ignore.”
Recommendation:
Add Panera lookalike domain detection to email filters
Quarantine emails combining brand keywords with payment or credential requests
Expect ShinyHunters to exploit this data for targeted phishing
NationStates Game Breach Shuts Down Platform
The NationStates multiplayer political simulation game was forced offline after a user exploited a remote code execution vulnerability and accessed both application code and user data. While it sounds minor, the real risk is credential reuse many employees use personal emails or identical passwords across corporate systems.
Mitigate by:
Forcing SSO session refreshes
Rotating reused credentials
Monitoring for new ASN logins on high-risk corporate apps
🦠 SUPPLY CHAIN & TRUST CHAIN COMPROMISES
China’s Notepad++ Supply Chain Hack Exposes Global Users
Investigators confirmed a China-linked supply chain attack on Notepad++, where threat actors compromised the hosting provider that distributes software updates. The attackers injected a trojanized update into the distribution pipeline effectively turning a trusted tool into a credential-harvesting Trojan horse.
This wasn’t a noisy crypto-mining op—it was quiet persistence, designed for long-term espionage and credential theft.
James observed: “This is SolarWinds, but normalized — SolarWinds isn’t rare anymore; it’s the playbook.”
Mitigation:
Verify every third-party update via internal code-signing and SBOM validation
Test updates in sandbox environments before release
The Notepad++ team has since migrated to a new hosting provider
Developer Ecosystem Poisoned by 341 Malicious Packages
Security researchers uncovered 341 tainted packages across npm and PyPI, seeded with stealers and post-install beacons. These malicious uploads rely on typosquatting to trap developers installing from public repos.
Mitigation:
Mirror all third-party libraries in internal proxies
Block direct public installs on corporate devices
Enforce version pinning for critical builds
James warned: “One typo by a dev can be a full-blown breach. That’s not bad luck that’s predictable risk.”
Marquis Software Breach Traced to SonicWall Cloud Backup
Marquis Software, a key provider for financial institutions and public sector clients, says its network intrusion originated from a compromised SonicWall cloud backup. Attackers exploited the vendor’s trusted control channel to infiltrate internal assets.
Whether this claim is fully accurate or part of post-breach deflection, it highlights one truth: security vendors are still attack surfaces.
James said bluntly: “When your security vendor becomes your attack vector, you’re not in defense, you’re in denial.”
To Mitigate:
Place all vendor admin and backup access behind just-in-time privileged accounts
Zero-standing API keys
Device posture validation
Docker AI Plugin Exposes Developer Secrets
Docker shipped a patch for a flaw in its AI assistant plugin, which could leak developer environment secrets and registry tokens while processing AI prompts.
Actions:
Update to the fixed Docker Desktop extension
Disable the AI plugin organization-wide until verified in sandbox
Supply-chain tools need guardrails, not default trust
⚡ CRITICAL INFRASTRUCTURE ATTACKS
Poland Grid Attack Bricked ICS Devices at 30 Energy Sites
New findings show that Russia-linked actors behind the December Poland grid attack intentionally bricked field ICS devices, disrupting telemetry and control functions across 30 distributed energy sites.
This attack was not about data theft—it was operational warfare, echoing Sandworm-style tradecraft aimed at destruction and chaos rather than espionage.
James emphasized: “Wiper attacks aren’t about ransom, they’re about inflicting operational pain that lingers long after the logs go cold.”
CISOs in energy and manufacturing should:
Deploy unidirectional gateways or data diodes at remote sites
Prevent reverse command abuse
Isolate RTUs and gateways from central SCADA systems
Lakeland Public Health Cyberattack Disrupts Services
A cyberattack against Lakeland’s public health district in South Carolina has forced systems offline, disrupting patient care and delaying appointments. While attackers’ motives appear to center on operational paralysis, the impact underscores the fragility of healthcare systems.
James stated emphatically: “When you hit healthcare, you’re not just stealing data — you’re gambling with lives.”
His stance: Congress must treat attacks on healthcare systems as acts of domestic terrorism—punishable by extreme consequences, including life imprisonment or worse if human life is lost.
Mitigation:
Maintain paper-based downtime playbooks
Manual registration and emergency communication channels
Can’t rely on digital resilience alone when patients’ lives are on the line
🚨 CISA TRIPLE ALERT
For the first time in over 1,000 episodes, CISA issued three separate exploit alerts in a single day, all currently being exploited in the wild.
1️⃣ SolarWinds Web Help Desk RCE
SolarWinds Web Help Desk (WHD) is now confirmed to be actively exploited via chained authentication bypass and deserialization bugs. Attackers are leveraging this to gain unauthenticated code execution and move laterally through service accounts.
Mitigation:
Remove any public-facing WHD interfaces
Enforce mutual TLS
Rotate service account credentials after patching to kill persistent access
2️⃣ VMware ESXi Zero-Day Leads to Ransomware
A newly discovered ESXi zero-day is being used for fast encryption attacks across virtualized environments. Threat actors are detonating ransomware payloads at the hypervisor level—wiping out dozens of VMs within minutes.
James warned: “When hypervisors go down, your business goes with them — this isn’t theoretical, it’s operational.”
Mitigation:
Enable ESXi lockdown mode
Manage via isolated jump hosts
Disable HTTPS management on general subnets until patch compliance confirmed
3️⃣ GitLab Legacy Exploit Resurfaces
Attackers are exploiting an old GitLab SSRF vulnerability (CVE-2021-39935) to exfiltrate repos, steal tokens, and tamper with CI/CD supply chains. Over 49,000 instances remain exposed online, mostly in China.
Mitigation:
Upgrade to a supported GitLab version
Hide admin panels behind VPNs
Revoke all stored credentials in outdated instances
🔥 ADDITIONAL CRITICAL ZERO-DAYS
Johnson Controls Vulnerability Puts Smart Buildings at Risk
A newly disclosed SQL injection vulnerability (CVE-2025-26385) in Johnson Controls building management software scores a perfect 10/10 CVSS, allowing unauthenticated remote access to critical infrastructure. This could enable attackers to manipulate HVAC systems, access control, and building automation networks—potentially serving as lateral gateways to corporate IT environments.
Recommendation:
Disable remote cloud access until patches validated
Lab-test new firmware before deployment
Ivanti Zero-Day Under Active Exploitation
Ivanti Endpoint Manager Mobile (EPMM) is under active attack via two flaws enabling remote code execution and authentication bypass. Attackers are leveraging these weaknesses to deploy payloads to entire device fleets.
James noted: “Attackers love MDM because it’s a distribution hub for compromise — patch like your reputation depends on it, because it does.”
Actions:
Patch immediately
Geofence admin portals
Rotate credentials
Enforce hardware-key SSO until verified clean
React Native Zero-Day Under Active Exploitation
The React Native framework vulnerability CVE-2025-11953 is now being exploited in the wild. Attackers can execute remote code through malicious component packages, threatening both mobile and desktop apps built on the framework. This bug carries a CVSS score of 9.8.
Mitigate immediately by:
Upgrading to the patched version
Rebuilding all dependent apps
Enabling “break-the-build” gates in CI/CD for this package family
Citrix NetScaler Faces Massive Proxy Scanning Wave
Researchers detected a massive reconnaissance campaign hitting Citrix NetScaler and ADC edges using residential proxy networks to evade IP-reputation filters. This suggests attackers already have an exploit ready and are mapping exposed systems before launch.
James warned: “If they’re scanning, they’re planning. This is the calm before the exploit storm.”
If your NetScaler management plane is accessible from the internet:
Move management to dedicated, IP-allow-listed interfaces
Ensure you’re running the latest patch train
Google Looker Vulnerability Enables Data Exfiltration
Tenable researchers uncovered a vulnerability chain in Google Looker, enabling full instance takeover and data warehouse exfiltration if misconfigured. Attackers can escalate privileges from BI dashboards to underlying databases.
Mitigation:
Run Looker behind VPC Service Controls
Enforce separate service accounts per environment
Disable ad-hoc SQL runners from production datasets
vLLM Remote Code Execution Vulnerability
VLLM, an open-source large-language-model backend, patched a remote code execution flaw that allowed malicious model or URL inputs to execute commands on inference servers. LLM backends often run with broad system privileges and access to internal data making this a potential catastrophic breach vector.
Mitigation:
Disable remote asset fetching
Place VLLM behind an authenticated API gateway
Block all outbound egress from model servers by default
N8N Workflow Automation Vulnerabilities Exposed
Several new vulnerabilities in N8N, the popular workflow automation platform, are now public with proof-of-concept exploits available. Attackers can move from misconfigured webhooks to arbitrary code execution, accessing stored secrets or executing unauthorized workflows.
Mitigation:
Restrict webhook IPs to allowlists
Disable arbitrary “execute command” nodes
Limit workflow permissions in production environments
💰 CRYPTO & FINANCIAL CRIME
Illicit Crypto Flows Soar to $158 Billion
A new report from TRM Labs shows illicit crypto flows surged 145% year-over-year, reaching a staggering $158 billion across mixers, high-risk exchanges, and scam wallets. This includes funds from ransomware, pig-butchering scams, and BEC operations.
Though illicit activity only represents 1.3% of total blockchain volume, its sheer scale poses serious compliance risks.
James emphasized: “Crypto risk isn’t just regulatory anymore — it’s reputational and existential.”
Businesses dealing with crypto or digital payments must:
Restrict payouts to pre-approved wallets
Apply real-time chain risk analysis
Maintain off-chain audit logs for compliance
Step Finance Loses $40M After Executive Device Compromised
Step Finance confirmed a $40 million crypto theft after attackers compromised an executive’s endpoint and used it to authorize on-chain transactions. This wasn’t a smart contract bug, it was a device-level takeover.
James said clearly: “They didn’t hack the blockchain — they hacked the person holding the keys.”
Mitigation:
Move all high-value transactions to multi-sig hardware wallets requiring approvals from separately managed devices
No single laptop or phone should ever hold treasury access
Executive endpoints remain the soft underbelly of crypto and fintech operations
Cloud Storage Renewal Scams Target Finance Teams
Threat actors are sending fake cloud renewal and cancellation invoices, spoofing brands like Dropbox, OneDrive, and Google Drive. The goal is to trick users into paying fake fees or surrendering login credentials. These emails use urgent countdowns (”3 days before cancellation”) to trigger panic payments.
Mitigation:
Require AP and finance departments to pay invoices only within authenticated vendor portals
Never from links or phone numbers in emails
Train EAs and finance leads to treat “urgent renewals” as red flags
MongoDB Extortion Campaign Expands
Attackers continue to target internet-exposed MongoDB instances without authentication, scraping data and demanding ransom under the “pay or we leak” model. Even with backups, reputation damage and regulatory scrutiny make recovery costly.
Mitigation Steps:
Enforce IP allowlists and mandatory authentication
Deploy TLS encryption for all MongoDB connections
Auto-quarantine non-compliant cloud instances
🎯 NATION-STATE OPERATIONS
Russia’s APT28 Exploits Microsoft Zero-Day
Russian threat group APT28 (Fancy Bear) has been exploiting a Microsoft zero-day targeting Western governments within 24 hours of disclosure. Attackers delivered malicious documents that installed Covenant backdoors, using living-off-the-land techniques to evade detection.
Ukraine’s CERT observed active scanning and weaponization just hours after Microsoft’s advisory, showing how quickly state-backed adversaries adapt.
Mitigation:
PowerShell constraint policies
Script block logging
Alerting on non-IT admin activity
Russia and Allies Target Denmark in Coordinated Campaign
Russian-aligned hacker collectives have ramped up targeting of Danish infrastructure and government-linked organizations. The campaign blends influence operations and access prep, seeking to undermine European coordination.
Enterprises with Danish subsidiaries or EU integrations should:
Tighten geo-based access controls
Enforce hardware key MFA for any privileged connections from outside the EU
Google Engineer Convicted of Selling AI Tech to China
A U.S. court convicted former Google engineer Linwei Ding on seven counts of trade secret theft and economic espionage for exfiltrating over 2,000 pages of confidential AI material and uploading it to his personal Google Cloud Drive before attempting to sell it to Chinese tech companies. He now faces up to 150 years in prison.
James emphasized: “The biggest breach risk isn’t outside your firewall — it’s the person who already has the keys.”
This case underscores the insider threat risk:
Implement repo-level DLP
Require just-in-time approvals for bulk code exports
Maintain watchlists for high-value AI assets
Chinese Espionage Group Weaponizes WinRAR Flaw
China-linked APT41 (”Amaranth Dragon”) is exploiting a WinRAR vulnerability to deploy espionage loaders via booby-trapped archive files. Once extracted, these payloads live off the land, exfiltrating data stealthily.
Mitigation:
Block .rar attachments
Scan archives automatically in a sandbox
Educate users that compressed equals suspicious
James noted: “You can’t just block risky file types — you’ve got to give the business a safer alternative.”
🌐 EMERGING MALWARE & THREATS
New Data Wiper Malware Detected in the Wild
A new wiper family has surfaced, erasing event logs, corrupting file systems, and overwriting key boot sectors. Unlike ransomware, this isn’t about money, it’s destruction disguised as extortion.
James emphasized: “Wipers are the next frontier economic warfare in digital form.”
Defend by:
Maintaining offline immutable backups
Rehearsing full restoration drills, not just for databases, but directory and license servers as well
InfoStealers Expanding Into Token & Session Theft
Traditional password-stealing malware has evolved into session and token theft, letting attackers log in without credentials. They’re now extracting cookies, API keys, and OAuth tokens, maintaining persistent access even after password resets.
CISOs Should:
Enforce phishing-resistant MFA (hardware keys and passkeys)
Add device posture checks for all SSO sessions
A stolen token should never satisfy authentication on its own
GlassWorm Malware Targets macOS Developers
A resurgence of GlassWorm malware is hitting macOS developers through malicious VS Code extensions hosted on Open VSX. The extensions, disguised as utilities, steal cloud credentials and tokens, compromising dev pipelines at their source.
Actions:
Lock down IDEs to signed, vetted extensions only
Rotate developer PATs and OAuth tokens if any suspect extensions were installed
ShinyHunters Expand SSO Abuse Playbook
Threat intel from Mandiant reveals that ShinyHunters are now exploiting SSO token replay and OAuth consent abuse to hijack cloud sessions. They’re moving away from password theft and focusing on persistent token compromise.
To Mitigate:
Enable continuous access evaluation (CAE)
Auto-revoke unused refresh tokens
Require admin consent approval for all new enterprise apps
NGINX Redirect Hijacks Surge
Threat actors are compromising NGINX web servers using weak credentials and outdated plugins, injecting malicious redirects and credit card skimmers into live sites. Because this happens at the reverse proxy layer, these attacks bypass WAF and app-level detection.
Mitigation:
Ship immutable NGINX configs
Enable file integrity monitoring
Sign deployment bundles via CI/CD attestation
🚨 ADDITIONAL DATA BREACHES
ShinyHunters Leak Harvard and UPenn Alumni Data
The ShinyHunters extortion group claims to have stolen and leaked data from Harvard University and the University of Pennsylvania, allegedly exposing donor and alumni details. The attackers are using the threat of publicity to pressure both institutions.
The real danger isn’t just data loss, it’s social engineering and financial fraud against alumni networks and donors. Attackers can impersonate advancement staff or craft convincing charity scams using real donor lists.
James explained: “Reputation is the currency for institutions like Harvard and UPenn and that’s exactly what attackers are cashing in on.”
If your company employs Harvard or UPenn alumni:
Monitor for lookalike domains
Watch for spoofed donation requests that exploit this breach
Iron Mountain Data Breach Limited to Marketing Materials
Iron Mountain disclosed a limited data breach that impacted marketing materials not customer or operational systems. The incident was small, but it still opens the door for brand impersonation and phishing. Attackers can now clone Iron Mountain’s look, tone, and logos to target corporate clients.
James noted: “It’s not the data that hurts you — it’s the brand built on it.”
CISOs Should:
Enable brand impersonation filters in email security tools
Flag any Iron Mountain-themed messages for the next 90 days
🏛️ POLICY & INDUSTRY DEVELOPMENTS
White House Cyber Strategy Begins Taking Shape
U.S. National Cyber Director Sean Crankcross unveiled the early outline of the Trump administration’s cybersecurity policy, signaling a shift toward industry collaboration and standardized regulation rather than punitive reporting mandates.
The plan emphasizes:
Public-private disruption campaigns
Workforce development
Aligning compliance “to function, not checklists”
James told listeners: “For the first time in a while, Washington might actually be listening to the people defending the networks.”
Key Takeaway: Companies should expect consolidation of overlapping regulations and more real-time coordination with federal agencies, not just paperwork.
FCC Issues Ransomware Preparedness Warning to Telecoms
The FCC has warned U.S. telecom providers to strengthen segmentation, incident communication, and customer notifications in the event of ransomware incidents. This move signals policy enforcement readiness and future audits across core network functions.
Telecom-dependent enterprises should:
Document secondary MFA routes
Establish alternate SIP providers to ensure operational continuity
Microsoft Releases AI Model Tampering Scanner
In good news, Microsoft has released a free tool to detect tampered AI models or poisoned machine learning datasets. This helps identify maliciously modified models that leak data or produce attacker-influenced responses.
If your organization is experimenting with AI:
Integrate this into ML Ops pipelines
Require model signing
Reject any artifact that fails verification
Varonis Acquires Altrue AI for $150M
Varonis announced a $150 million acquisition of Altrue AI, a move aimed at bolstering data security posture management (DSPM) and AI data governance. Expect new integrations around sensitive data discovery and LLM security within Varonis’s platform later this year.
✅ YOUR COMPREHENSIVE ACTION LIST
IMMEDIATE CRITICAL PATCHING:
SolarWinds Web Help Desk - Remove public interfaces; enforce mutual TLS; rotate service accounts
VMware ESXi - Enable lockdown mode; isolate management; disable HTTPS on general subnets
GitLab Legacy - Upgrade to supported version; hide admin panels behind VPN
Johnson Controls - CVSS 10/10 SQL injection; disable remote cloud access
Ivanti EPMM - Patch; geofence portals; rotate credentials; enforce hardware-key SSO
React Native - CVE-2025-11953 (9.8 CVSS); rebuild all apps; break-the-build gates
Citrix NetScaler - Move management to IP-allowlisted interfaces
Google Looker - VPC Service Controls; separate service accounts; disable ad-hoc SQL
vLLM - Disable remote fetching; API gateway; block egress
N8N - Restrict webhooks; disable execute commands; limit permissions
SUPPLY CHAIN DEFENSE:
Notepad++ - Verify updates via code-signing and SBOM validation
341 npm/PyPI packages - Mirror libraries internally; block public installs
Docker AI plugin - Update extension; disable until verified
Marquis/SonicWall - JIT privileged accounts; zero-standing API keys
MALWARE & EMERGING THREATS:
Wiper malware - Offline immutable backups; rehearse full restoration drills
InfoStealers - Phishing-resistant MFA; device posture checks for SSO
GlassWorm - Lock IDE extensions to signed/vetted only
ShinyHunters SSO - Enable CAE; auto-revoke unused refresh tokens
NGINX hijacks - Immutable configs; file integrity monitoring; sign deployments
🧠 JAMES AZAR’S CISO TAKE
This week’s stories prove one brutal reality: our threat landscape isn’t defined by tools it’s defined by trust, and attackers weaponize the vendors, platforms, and people we rely on most.
When Bumble and Match breach millions creating credential reuse risks across corporate systems, when China hacks Notepad++ distribution to push trojanized updates proving SolarWinds is now normalized playbook, when Russia bricks ICS devices at 30 Polish energy sites inflicting operational pain designed to linger long after logs go cold, when CISA issues its first-ever triple alert in one day for SolarWinds Web Help Desk RCE, VMware ESXi ransomware at hypervisor level, and GitLab legacy SSRF with 49,000 exposed instances, when Step Finance loses $40 million not from smart contract flaws but from compromising the person holding the keys, when Johnson Controls’ CVSS 10/10 vulnerability exposes smart buildings to complete takeover, when 341 malicious npm/PyPI packages prove one developer typo equals full-blown breach, and when Lakeland Public Health systems go offline gambling with patient lives we’re witnessing the complete weaponization of trust chains, supply dependencies, and the human layer that holds privileged access.
The $158 billion in illicit crypto flows, Harvard and UPenn alumni data leaked for social engineering, the Google engineer facing 150 years for stealing AI trade secrets, Russia’s APT28 exploiting Microsoft zero-days within 24 hours, wipers emerging as economic warfare tools, and infostealers evolving from password theft to session token compromise all prove that we’re only as resilient as our weakest integration, and operational resilience not prevention, now determines survival.
The second critical lesson is that security must move closer to the developer and executive level, because you can’t just protect infrastructure, you must govern behavior and enforce smarter trust boundaries.
When healthcare cyberattacks should be prosecuted as domestic terrorism if lives are lost, when the White House finally shifts toward industry collaboration over punitive mandates, when ShinyHunters expand from credential theft to SSO token replay and OAuth consent abuse, when dating app breaches become business risk not gossip, when NGINX reverse proxy hijacks bypass WAF detection, when Docker AI plugins leak developer secrets, when macOS GlassWorm targets VS Code extensions, and when cloud renewal scams exploit urgency psychology to trick finance teams the universal truth is that the biggest breach risk isn’t outside your firewall but the person who already has the keys, and the future isn’t about bigger budgets but about shortening trust lifetimes, verifying every integration, rehearsing chaos recovery, and empowering every stakeholder from executives to developers to recognize that their devices, credentials, and approval moments are now primary attack vectors.
Because as James emphasized: when hypervisors go down your business goes with them this isn’t theoretical, it’s operational. And when your security vendor becomes your attack vector, you’re not in defense, you’re in denial.
We’re only as resilient as our weakest integration. Security must govern behavior, not just infrastructure. Shorten trust lifetimes, verify every vendor, rehearse chaos recovery because operational resilience determines survival.
Stay alert, stay caffeinated, and as always, stay cyber safe, Security Gang!
Coffee cup cheers, y’all—we’ll be back Monday at 9 AM Eastern Live!