Read Time: 10 minutes

Brought to you by:

Heavy week eh? Kinda hard to even be online. I said this on socials and I’ll repeat here. I know 2 things for certain: 1) Our brains aren’t wired to witness death videos sandwiched between Applebees ads. 2) Mis and Disinformation campaigns are motivated, active, and well funded. They are hard to spot and we need to not assume every take we read is being said by a genuine person.

That all said - this was also an insane news week for me. I could’ve made 2-3 videos a day. Let’s get into it.

But first, Thanks to Trey Ford for being the interview for the latest edition of Vulnerable U Premium. If you want to sign up and catch a bunch of industry leaders coming here to get vulnerable for you all and share some of their struggles make sure you upgrade your subscription.

The next two we have in the pipe are great also so come on in the water’s fine.

ICYMI

🖊️ Something I wrote: It seems that the entire security training field should be rebranded as phishing training.

🎧️ Something I heard: Inside Russia's creepy sport farms

🎤 Something I said: Cursor quietly switched it's IDE extension marketplace - malware popping up already

🔖 Something I read: Learned helplessness - What "impossibilities" have you convinced yourself of? by the homie Keith Hoodlet

Vulnerable News

Memory Integrity Enforcement: A complete vision for memory safety in Apple devices

The way this reads is that Apple just put out the most secure mobile device we’ve seen yet. Obvious caveat of GrapheneOS custom phones but as for mass market off the shelf, this is a really giant step forward in memory safety.

Here is a massive technical deep-dive on their new Memory Integrity Enforcement (MIE) feature coming to iPhone 17 and iPhone Air. This thing took them five years to build and represents their answer to state-sponsored mercenary spyware. MIE combines hardware-level memory tagging (Enhanced Memory Tagging Extension) with their secure allocators to create always-on memory safety protection that's baked right into the A19 chips.

Their red team tried to break it using real-world exploit chains from the past three years, and apparently couldn't rebuild any of them to work around MIE. Apple's claiming this completely redefines memory safety and will make exploit development "significantly more expensive and difficult." They're also making the Enhanced Security features available to developers in Xcode immediately, so third-party apps can start using these protections. Bold claims, but if it actually works as advertised, this could be a real headache for the spyware industry. (read more)

How’s Your DevSecOps Looking These Days?*

Getting DevSecOps right is about knowing where you stand today, where you want to be next, and the practical steps to get there without slowing everyone down.

Datadog’s DevSecOps Maturity Model lays out six core competencies across four levels so you can see what “mature” actually looks like and chart a path forward that fits your team.

Read the white paper.

*Sponsored

Chinese Hackers Pretended to Be a Top U.S. Lawmaker During Trade Talks

Chinese hackers just pulled off a pretty ballsy move, impersonating Rep. John Moolenaar during Trump's trade talks with China. They sent fake emails to trade groups and law firms asking for input on sanctions legislation, complete with malware-laden attachments. The timing was surgical - this went down right before U.S. and Chinese officials met in Sweden for high-stakes trade negotiations. FBI traced it back to APT41, one of Beijing's go-to hacking groups that apparently moonlights in videogame theft when they're not stealing state secrets.

They picked Moolenaar specifically - a guy who's been absolutely hammering China in Congress, calling them an enemy rather than a partner. The FBI's investigating this alongside other impersonation campaigns targeting Marco Rubio and Susie Wiles. One analyst compared APT41 to shopping at Costco - high volume, gets the job done, but nothing fancy. They're basically everywhere and throwing everything at the wall to see what sticks during these critical trade discussions. If you’re reading this, I just want to say I’m a big fan of your $1.50 hot dogs. (read more)

Ex-WhatsApp security boss sues Meta, alleging it ignored privacy risks

So WhatsApp head of security blows the whistle that they aren’t meeting their obligation to the FTC to save his ass. He gets canned, allegedly for said whistleblowing. Now is suing them, and what does Meta say: “Well actually that guy sucked and thats why we fired him” …paraphrasing.

Attaullah Baig claims the company basically ignored massive privacy risks, violated their FTC settlement, and then fired him when he kept pushing internal security improvements. His claim I have a hard time wrapping my head around: 500,000 WhatsApp accounts get hijacked daily. That's a staggering number if true, especially for a platform that markets itself heavily on privacy and security. - Just do the math and that really seems impossible.

The lawsuit has some serious Peiter Zatko (Mudge) vibes. Remember when he was a Twitter whistleblower who exposed similar issues before Musk took over? Baig says WhatsApp had just 10 actual security engineers but somehow 1,500 regular engineers had access to protected user data, with no proper tracking of what they did with it. The FTC and SEC have already interviewed Baig. Given WhatsApp's billions of users and all those previous Meta privacy screwups, this one's definitely worth watching. (read more)

An Attacker’s Blunder Gave Us a Look Into Their Operations

Why did a bunch of people not realize that security tools can see everything that happens on the computer they are installed on? This is an awesome post from Huntress about a threat actor who installed their tool, they recognized the name of the device from some IOC data of other incidents, investigated, and showed us a bunch of stuff about their Ops.

Then a ton of people freaked about how much stuff Huntress can see on the computer. Yes. Everyone. Please don’t do stuff on your corporate machine that you wouldn’t want read aloud in court.

The attacker, who found Huntress through a Google ad while researching Bitdefender, exposed their entire workflow including browser history showing them targeting organizations, crafting phishing messages, and searching for Evilginx instances.

They're heavily leveraging AI tools like Make[.]com to automate workflows through Telegram bots, and using tools like DocsBot AI for data generation. Their daily grind involved 12-14 hour days researching targets (especially banks), using residential proxies to mask activity, and shopping on STYX market for stolen credentials. They eventually caught on and uninstalled the agent, but not before Huntress got a view into modern threat actor tradecraft. (read more)

Gartner Just Ranked 1Kosmos #1 for Workforce Identity Verification*

If you’re exploring identity tools that go beyond credentials, this new 2025 Gartner Critical Capabilities report is worth a read. Solid insights on phishing-resistant access, biometric login, and workforce integrations.

👉 [Access the report]

*Sponsored

EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company

This was interesting and I was digging into it becauase they called it “Fileless Malware” - So I thought it was kind of like that cloud ransomware attack recently that just used the built in cloud features to lock everything without actually deploying against a server. Nope! This is completly different and still interesting.

It's a multi-stage, fileless malware toolkit that uses DLL sideloading and operates almost entirely in memory to stay under the radar. The main component, EggStremeAgent, packs 58 different commands and can do everything from system reconnaissance to lateral movement, plus it automatically injects a keylogger into every new user session.

The thing I honed in on is how they abuse legitimate Windows services for persistence - targeting disabled services like MSiSCSI and AppMgmt, then either swapping out DLLs or tweaking registry keys to load their malicious code. The whole framework is designed around staying fileless, with encrypted payloads stored in .mui files that only get decrypted in memory. They even threw in a lightweight backup backdoor called EggStremeWizard and a proxy tool called Stowaway for network pivoting. (read more)

Apple warns customers targeted in recent spyware attacks

We knew this was coming. Every time we get the zero day actively being exploited stuff it is tied to spyware, just a matter of time before we hear more.

Apple's been busy sending out at least four waves of spyware notifications going out through September. The French CERT team flagged these as "highly sophisticated attacks" using zero-days and zero-click exploits - meaning victims didn't even need to click on anything to get compromised. This ties back to last month's emergency patches for that nasty WhatsApp/iOS zero-day combo.

They’ve been sending these notifications across 150+ countries since 2021, though they're staying tight-lipped about who's behind it all. cough Israel cough For anyone who gets these warnings, Apple's recommending Lockdown Mode and suggests reaching out to Access Now's Digital Security Helpline if you need emergency support. But also check the story on their new memory safety features which should impact this entire industry. (read more)

Apple CarPlay RCE Exploit Left Unaddressed in Most Cars

Remember that fun Apple CarPlay bug we talked about? Well, it's still out there. Turns out patching cars isn’t a regular occurance. CVE-2025-24132 is a zero-click RCE vulnerability that Oligo Security found back in April - attackers can basically take over CarPlay through Bluetooth or WiFi without you doing anything. Apple patched their SDK months ago, but almost no car manufacturers have actually implemented the fix.

The attack chain is pretty slick - many cars use "Just Works" Bluetooth pairing (because of course they do), and the iAP2 protocol only authenticates one direction. So an attacker can pretend to be your iPhone, grab WiFi creds, connect to the car, and boom - root access to your infotainment system. The real problem isn't the bug itself, it's that automotive supply chains are a mess. Unlike your phone that updates overnight, cars need dealership visits or complex OTA systems that most manufacturers haven't bothered implementing properly. (read more)

U.S. Senator accuses Microsoft of “gross cybersecurity negligence”

Guess which Senator… Yup! Senator Ron Wyden is going after Microsoft, calling for an FTC investigation over the company's handling of known security risks - specifically around Kerberoasting attacks that recently hit Ascension Health and exposed 5.6M patient records. The attack chain started with a malicious Bing result and exploited Microsoft's continued support of RC4 encryption in Kerberos authentication.

Microsoft put out a dense technical blog post in October that basically buried the lede. While Microsoft claims RC4 makes up less than 0.1% of traffic and they can't fully remove it without breaking legacy systems, Wyden isn't buying it - especially given that 46% of environments had passwords cracked this year, up from 25% last year. The senator is framing this as a national security issue, arguing Microsoft's market dominance combined with their "culture of negligent cybersecurity" is going to lead to more major breaches unless the FTC steps in.

The absolute most wild quote from this letter is: “At this point, Microsoft has become like an arsonist selling firefighting services to their victims.” (read more)

Hackers left empty-handed after massive NPM supply-chain attack

The largest NPM supply chain attack in history just hit - but the attackers walked away with less than $1,000 for their trouble. The compromise started when maintainer Josh Junon fell for a phishing attack, giving attackers access to hugely popular packages like chalk and debug-js (2.6 billion weekly downloads).

The attackers pushed malicious updates that tried to redirect crypto transactions, but the open source community caught it within two hours. While the reach was massive - these packages are used in 99% of cloud environments according to Wiz - the payload was surprisingly tame. Instead of dropping reverse shells or ransomware, they went for basic crypto-jacking that netted them about $429 in ETH, $46 in SOL, and some pocket change in other coins. Same attack hit DuckDB's maintainer too, but all the attacker wallets are now flagged. Major cleanup headache for affected companies, but could've been way worse security-wise. (read more)

Jaguar Land Rover confirms data theft after recent cyberattack

So JLR not only got hit by Scattered Lapsus$ Hunters, they got hit so bad all their workers got sent home until further notice and nobody can get their cars serviced. The threat actors are showing off screenshots of JLR's internal SAP system. These are the same folks behind those recent Salesforce data thefts that hit Google, Cloudflare, and a bunch of other tech companies using stolen OAuth tokens. (read more)

X is now offering me end-to-end encrypted chat — you probably shouldn’t trust it yet

X just rolled out their new encrypted messaging feature called XChat, and the crypto experts are not impressed. The company's claiming it's end-to-end encrypted, but there are some glaring red flags that make Signal look impeneterable by comparison. For starters, they're storing your private keys on their servers instead of your device, protected by just a four-digit PIN. Matthew Garrett and Matthew Green (great names) are basically saying "don't trust this yet" - and when the two Matthews in cryptography agree, you should listen.

X literally admits on their support page that their current setup could allow "a malicious insider or X itself" to compromise your chats. Add in the fact that none of the code is open source and there's no perfect forward secrecy, and you've got more sizzle than steak on this one. Maybe wait for that audit before sharing your state secrets on XChat. (read more)

Swiss government looks to undercut privacy tech, stoking fears of mass surveillance

Switzerland is pulling a complete 180 on its privacy-friendly reputation with a proposed regulation that would force service providers (>5000 users) to collect government IDs, store user data for 6 months, and potentially break encryption. This doesn't even need parliamentary approval. Proton, the privacy-focused email and VPN provider, is already moving its infrastructure out of Switzerland with a €100M investment in EU facilities, comparing the proposed laws to Russia's surveillance framework.

The proposal would require users to provide passport/driver's license for service registration (goodbye, email-only signups) and mandate retention of email addresses, phone numbers, names, IPs, and even device port numbers. Law enforcement could access this data without court orders - just a simple request would do. Privacy advocates are pushing back hard, with Nym COO Alexis Roussel pointing out the irony of Switzerland actively dismantling its privacy tech industry just when it's needed most. The government claims this is about fighting cybercrime, but when your privacy laws start looking more like Russia's than the EU's, something's definitely off. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay