Read Time: 6 minutes

Brought to you by:

Howdy friends!

I feel like we went from a summer lull into a full on blitz towards Blackhat and Defcon. Everyone came out of the woodwork and announced their big plans for hacker summer camp. I’m getting excited.

If you missed it, last week I launched the premium version of the newsletter. Have some really cool exclusive content cooking up for it.

ICYMI

🖊️ Something I wrote: A run through of Microsoft’s threat intel report on North Korean job infiltrations.

🎧️ Something I heard: Linux is not safe… - (Also some of you mentioned I linked the wrong video in last week’s newsletter. How to intentionally have a good summer)

🎤 Something I said: I made probably my most important video yet. The how to not get popped by Scattered Spider playbook.

📣 Something I think you’ll dig: You know I love a good report. Especially when big companies with lots of unique data and customer info decide to share it. I'm really excited to share my perspective on the new Vanta report. Join me live! *

🔖 Something I read: How the FBI thought this kid was a massive credit card fraud kingpin.

*Sponsored

Vulnerable News

Mellow Drama: Turning Browsers Into Request Brokers

Turns out some developers found a creative way to monetize browser extensions that's pretty sketchy. This Mellowtel library promises to pay extension developers for users' "unused bandwidth," but what it actually does is turn nearly a million browsers into a distributed web scraping botnet. The library injects hidden iframes into websites you visit, scrapes content, and sends it back to AWS Lambda functions - all while stripping away security headers like CSP and X-Frame-Options to make it work.

The folks behind Mellowtel also run Olostep, a commercial web scraping API service. So they're essentially using unwitting browser extension users as proxies for their paying customers who want to scrape websites at scale. Google's already started nuking some of these extensions, but 129 Edge extensions and 69 Firefox extensions are still active. The corporate security implications are nasty - imagine your employees' browsers making arbitrary requests through your VPN or having critical security headers stripped from all their web traffic. (read more)

Stop imposters with smarter employee verification*

MFA on its own can’t outwit modern threats like deepfakes or crafty social engineering, especially when employees are joining, recovering accounts, or getting new devices. That’s why more companies are weaving adaptive, end-to-end identity checks into the high-stakes moments of the employee journey.

Persona’s Know Your Employee solution gives you crystal-clear confidence in who’s on your team, locking down security without creating roadblocks.

Learn more today.

*Sponsored

Large Language Models (LLMs) Are Falling for Phishing Scams: What Happens When AI Gives You the Wrong URL?

Fun new thing to worry about. This research is showing how AI hallucinated responses are now returning URLs that either A) don’t exist or B) are straight up phishing pages. And for the ones that don’t exist, if you do your recon as an attacker, you can grab the domains that AI is hallucinating and use them to your advantage. In one example Perplexity was asked for Wells Fargo login page and just gave a completely fake phishing page that looked like Wells Fargo.

I’m looking at this like SEO poisoning and Malvertising but at a new level. Can’t always trust the first search result, can’t always trust the AI response.

(read more)

Skills Challenge: Investigate Your Own AWS Attack with Athena

I’ve been live streaming a bunch lately, and I get a lot of early career people in my chat asking me what certs they should go get or courses they should take. I’m not a certs guy, I think a lot of that industry is a racket. Meanwhile, Rich Mogull is out here putting out TOP dollar cloud security training for free every week. I featured this when he launched CloudSLAW (Security Lab A Week) but this one stood out as a particularly good edition.

It combines a few things I think are invaluable skills today: cloud security (namely AWS) and Detection Engineering / Investigations. Go learn from the best. Not sponsored, truly just an amazing free resource. (read more)

Malicious pull request infects VS Code extension

Remember xz utils? The GitHub PR that almost backdoored all of Linux? Well this attack is similar and super f’n sneaky. This fresh GitHub account (sus) opened a PR on a VS Code Extension’s repo that looked like it was doing a ton of friendly and helpful stuff.

Offering to "modernize the codebase" - but buried within 4,000 lines of changes were two critical additions that pulled in a malicious npm package called "keythereum-utils". The package, downloaded 495 times before being taken down, contained obfuscated code that would download an unknown payload via PowerShell. (read more)

7 Key Facts About the State of Cloud Security*

How are leading teams securing their cloud environments? Datadog analyzed security posture data from thousands of organizations that use AWS, Azure, or Google Cloud to uncover trends in misconfiguration prevention and adoption of proactive controls.

Read the report

*Sponsored

New spyware strain steals data from Russian industrial companies

A new spyware strain called Batavia is making waves in Russia's industrial sector, successfully hitting over 100 victims across dozens of organizations since July. The malware, delivered through contract-themed phishing emails, steals documents, takes screenshots, logs system info, and ships everything back to the attackers' server.

Nothing looks particularly sophisticated here. Just straight email a bad attachment and get them to execute it. Kaspersky hasn't pinned this on anyone specific yet, but the targeting suggests state-sponsored actors might be involved. (read more)

Anatsa Android Banking Trojan Hits 90,000 Users with Fake PDF App on Google Play

Normally when I read these stories, it is targeting side loaded apps in southeast Asia. Nope. This is straight up in the Play store and targeting US and Canada.

Anatsa banking trojan is back and hit 90k users through a fake PDF app on Google Play. The malware authors played the long game - first launching a legit document viewer app that climbed to #4 in Tools, then flipping the switch to malicious code 6 weeks later. Once activated, it shows users fake maintenance notices when they try to access their banking apps, buying time while it steals credentials and performs automated transactions. (read more)

PerfektBlue Bluetooth flaws impact Mercedes, Volkswagen, Skoda cars

A set of Bluetooth vulnerabilities dubbed "PerfektBlue" in OpenSynergy's BlueSDK stack puts millions of cars at risk - notably Mercedes, VW, and Skoda. These flaws were patched back in September 2024, but many automakers haven't pushed the updates, and at least one major manufacturer just found out about it.

The attack chain requires being within 5-7 meters of the car and usually needs one click from the user to accept a Bluetooth pairing. Once in, attackers can get a reverse shell on the infotainment system to track GPS, eavesdrop on conversations, and potentially move laterally to other vehicle systems. VW claims critical functions like steering and brakes are isolated on separate control units, but PCA Cyber Security (who found the flaws) is holding back some technical details until their November 2025 conference talk. They've also confirmed a fourth major automaker is affected but aren't naming names yet since they just learned about it. (read more)

Four arrested in connection with M&S and Co-op cyber-attacks

Huge news. When I was just out at Sleuthcon, talking to a lot of people who are in cybercrime, I heard how impactful these arrests actually are. We see dramatic dips in activities from these groups after these crack downs. Both because the most prolific ones of the group are a small number at the bottom of the funnel, and because others in the group get spooked watching real consequences go down. (read more)

Would you like an IDOR with that? Leaking 64 million McDonald’s job applications

McDonalds uses an AI chat bot for job applications. It has a default password admin interface that lets you login with 123456:123456. Then the researchers used that access to poke around at the API and found IDOR let them enumerate millions of job applicants PII. (read more)

AI Clone of Marco Rubio

Everyone needs to watch this demo by Rachel. She shows how easy it is to make a voice clone these days. I posted this on socials and a lot of comments were shocked not realizing how far the AI tools have come and how little of a sound clip they need to go off of.

Miscellaneous mattjay

Subscribe to Default to read the rest.