Security Insights: Identity Evolved, Supply Chain Risks & Active Exploits
Security Insights: Identity Evolved, Supply Chain Risks & Active Exploits
We look at the standout research and updates from across the industry to help you stay on top of emerging security trends.
Cloud & Configuration Security
Default Helm Charts Pose Kubernetes Security Risks
Default Helm charts used in Kubernetes deployments can lead to misconfigurations that expose sensitive data and cloud resources. This is often due to a lack of proper network restrictions and authentication.
Notable projects like Apache Pinot, Meshery, and Selenium Grid have default configurations that expose critical services externally. Security best practices include reviewing defaults, scanning public interfaces, and monitoring container activity.
Learn about risks from default Helm chart configurations
Microsoft Makes New Accounts Passwordless by Default
Microsoft announced that newly created accounts will be “passwordless by default” to bolster security against common password-related attacks like phishing and brute force. New users will be guided to set up passwordless sign-in methods, such as passkeys, authenticator apps, or Windows Hello, as the primary way to access their accounts, with Microsoft aiming to eventually phase out traditional password support.
BleepingComputer on Microsoft’s passwordless initiative
Software Supply Chain Security
Malicious PyPI Package ‘discordpydebug’ Targets Developers with RAT
A malicious Python package named discordpydebug, downloaded over 11,000 times from PyPI, contains a remote access trojan (RAT). It’s capable of reading/writing files and executing shell commands, posing a supply chain threat.
The malware uses outbound HTTP polling to evade detection and is part of a broader campaign involving multiple typosquatted packages. This highlights risks from open-source repositories targeting dev environments.
Read the Socket.dev blog on the malicious PyPI package
DoD’s SWFT Initiative to Bolster Software Supply Chain Security
The US Department of Defense (DoD) is launching the Software Fast Track (SWFT) initiative to modernise and secure its software procurement processes. It emphasises cybersecurity and supply chain risk management.
The initiative aims to improve visibility into software origins and accelerate secure software authorisation. Challenges remain with insecure communication practices using commercial apps for sensitive Pentagon business.
Read the DoD memo on accelerating secure software
Known Exploited Vulnerabilities (KEV) & Critical Advisories
Commvault RCE Flaw (CVE-2025-34028) Actively Exploited, Added to CISA KEV
CISA has added CVE-2025-34028, a critical path traversal vulnerability in Commvault Command Center, to its Known Exploited Vulnerabilities (KEV) catalogue. This flaw allows remote unauthenticated code execution and follows confirmed active exploitation.
The vulnerability involves a pre-authenticated Server-Side Request Forgery (SSRF) triggered via a malicious ZIP archive. It affects versions 11.38.0 through 11.38.19 and is patched in later releases.
View the CISA alert on CVE-2025-34028
Langflow AI Platform RCE (CVE-2025-3248) Actively Exploited
A critical remote code execution (RCE) vulnerability, CVE-2025-3248, in the Langflow open-source AI platform allows unauthenticated attackers to execute arbitrary code. This is achieved via a vulnerable API endpoint.
The flaw has been actively exploited and added to CISA’s KEV catalogue. A patch was released in version 1.3.0.
See the CISA KEV update for Langflow CVE-2025-3248
Google Patches Actively Exploited Android Zero-Day (CVE-2025-27363)
Google released security updates addressing 46 Android vulnerabilities. This includes CVE-2025-27363, a high-severity local code execution flaw in the System component rooted in the FreeType library.
This vulnerability allows code execution without user interaction and has been exploited in the wild. Users are strongly advised to update to the latest Android versions to mitigate these risks.
Consult the Android Security Bulletin for May 2025
AirBorne: Critical Zero-Click RCE Flaws in Apple AirPlay
A series of critical vulnerabilities in Apple’s AirPlay protocol, collectively named AirBorne, enable wormable zero-click remote code execution (RCE). This affects Apple and third-party devices via local networks, especially public Wi-Fi.
Exploits can lead to device takeover, backdoors, ransomware deployment, and denial-of-service conditions. Immediate patching of affected Apple OS versions and AirPlay SDKs is essential to mitigate these high-risk flaws.
AirBorne vulnerabilities in AirPlay
Cisco IOS XE Wireless Controllers: Critical Flaw (CVE-2025-20188) Patched
Cisco patched a critical vulnerability (CVE-2025-20188) in IOS XE Wireless Controllers. It allows unauthenticated remote attackers to upload arbitrary files and execute commands with root privileges via a hard-coded JWT.
The flaw affects multiple Catalyst 9800 series controllers if the Out-of-Band AP Image Download feature is enabled (disabled by default). Users should update or disable the feature.
Read the Cisco Security Advisory for CVE-2025-20188
Malware Threats & Offensive Campaigns
Golden Chickens Group Releases TerraStealerV2 Malware
The Golden Chickens cybercriminal group has released TerraStealerV2, a malware designed to steal browser credentials, cryptocurrency wallet data, and browser extension information. It is distributed via multiple Windows file formats.
The malware exfiltrates data to Telegram and external domains while leveraging trusted Windows utilities for evasion. Despite active development status and some outdated code, the threat actor’s continued evolution poses a risk to credential and crypto asset security.
Learn more about TerraStealerV2 and TerraLogger
Lampion Malware Uses ClickFix Lures in Portuguese Banking Attacks
A highly targeted Lampion malware campaign in Portugal uses phishing emails with “ClickFix” social engineering lures to steal sensitive banking information.
The multi-stage infection chain employs obfuscated VBScript loaders and PowerShell commands. This complicates detection and aids evasion of security products. Enhanced detection, user education, and monitoring of scripting and clipboard activity are recommended.
Analysis of the Lampion ClickFix campaign
UNC3944 Group Leverages Social Engineering for Widespread Extortion
UNC3944, also known as Scattered Spider, employs persistent social engineering and ransomware extortion targeting multiple sectors. The group exploits large enterprise organisations, particularly those with significant help desk and outsourced IT functions.
They leverage tactics such as MFA bypass, privilege escalation, and lateral movement. Comprehensive hardening recommendations focus on strong identity verification, phishing-resistant MFA, and vigilant monitoring.
UNC3944 proactive hardening recommendations from Google Cloud
Mirai Botnet Targets GeoVision and Samsung Devices via Critical Flaws
Cybercriminals are actively exploiting critical command injection and path traversal vulnerabilities in GeoVision IoT devices and Samsung MagicINFO servers. These are used to deploy the Mirai botnet for DDoS attacks.
The campaign leverages unpatched, end-of-life IoT devices and weaponises recently disclosed vulnerabilities. Security teams are urged to apply patches and upgrade affected devices.
Akamai’s research on Mirai exploiting GeoVision and Samsung
Brazilian Spam Campaign Abuses RMM Tool Trials for Remote Access
A spam campaign targeting Brazilian users abuses free trial periods of commercial Remote Monitoring and Management (RMM) tools to gain full remote control of victim machines.
The campaign uses phishing emails referencing Brazil’s electronic invoice system (NF-e) to lure victims into installing malicious RMM agents. Cisco Talos recommends disabling affected trial accounts and deploying layered security.
Talos’ insights on RMM abuse campaigns
MirrorFace APT Expands Espionage in Japan and Taiwan with Upgraded Malware
China-aligned APT MirrorFace (Earth Kasha/APT10 sub-cluster) targets Japanese and Taiwanese government entities with spear-phishing. Attacks deliver ROAMINGMOUSE and an upgraded ANEL backdoor with in-memory execution.
Legitimate OneDrive URLs and macro-laced Excel files deploy malware. SharpHide launches NOOPDOOR backdoor with DNS-over-HTTPS for C2. The campaign seeks sensitive governance data and IP.
Earth Kasha’s updated TTPs from Trend Micro
DDoS Attacks & Disruptions
Europol Takedown Disrupts Six Major DDoS-for-Hire Platforms
Europol dismantled six major DDoS-for-hire services. These enabled thousands of attacks on schools, government services, businesses, and gaming platforms worldwide.
These services offered easy-to-use interfaces, allowing low-skilled actors to launch disruptive attacks. The takedown involved arrests and domain seizures across multiple countries.
Europol’s announcement on the DDoS service takedown
Industry Reports, Research & Privacy
Verizon DBIR 2025: Rising Third-Party and Machine Identity Risks
The 2025 Verizon DBIR highlights that third-party exposure and machine credential abuse are key drivers behind major breaches, with third-party involvement doubling year-over-year.
Attackers increasingly exploit ungoverned machine accounts to gain access and escalate privileges, fuelling ransomware and data exfiltration. Organisations must adopt unified identity governance covering human, third-party, and machine identities.
2025 Verizon Data Breach Investigations Report
Chrome Leads in Mobile Browser User Data Collection, Research Finds
Surfshark’s research identifies Chrome as the mobile browser collecting the most types of user data, including sensitive financial details, followed by Bing and Safari.
Popular browsers tend to collect extensive data, often through integrated services. Privacy-focused browsers like Tor collect little to no data, highlighting privacy concerns for users of mainstream mobile browsers.