RedPacket Security[INCRANSOM] - Ransomware Victim: Nothing - https://www.redpacketsecurity.com/incransom-ransomware-victim-nothing/
#incransom #dark_web #data_breach #OSINT #ransomware #threatintel #tor
O RLY CYBER(zscaler.com) Data Leakage Through AI Prompts: Real-World Scenarios and Effective Controls
New threat vector alert: AI prompt data leakage bypasses traditional DLP, exposing PII, PHI, PCI, and IP at scale. Over 410M ChatGPT-related DLP violations in one year (99.3% YoY increase) highlight critical gaps in AI workflow security.
In brief - Generative AI adoption introduces novel data leakage risks via prompts, attachments, and outputs. Legacy DLP fails to inspect conversational data flows, requiring new controls like inline DLP, browser isolation, and content moderation to mitigate exposure of sensitive data.
Technically - AI prompt leakage exploits unmonitored vectors: prompt text (e.g., copy/pasted credentials), file uploads (e.g., spreadsheets with PII), and model outputs (e.g., hallucinated data reuse). Traditional DLP lacks visibility into these flows. Mitigation requires prompt-level inspection, inline redaction, cloud app controls, and browser isolation (e.g., disabling copy/paste). Implement phased rollout: visibility → enforcement → optimization, with metrics like sensitive prompt rates to measure efficacy.
Source: https://www.zscaler.com/blogs/product-insights/ai-prompt-data-leakage-examples
(moonlock.com) TikTok in 2026: Navigating Privacy Risks, Data Security, and User Safety Under New U.S. Ownership
TikTok remains a critical privacy and security risk despite U.S. ownership changes, with persistent data collection and geopolitical concerns.
In brief - TikTok’s transition to U.S. ownership has not resolved core privacy risks, including invasive data harvesting (geolocation, biometrics, keystroke patterns), ties to ByteDance, and compliance with China’s National Intelligence Law. Scams, AI deepfakes, and underage exposure risks persist, while mitigations like Project Texas and Family Pairing lack proven efficacy.
Technically - TikTok’s iOS app requests excessive permissions, enabling access to clipboard data, browsing history, and device features. Suspicions of keystroke monitoring via injected code (denied by TikTok) and ongoing data access by ByteDance engineers in China underscore unresolved vulnerabilities. Algorithmic risks amplify harmful content, while scams exploit weak fraud detection. Mitigations include disabling permissions, VPNs, and antivirus tools, though age-gating and parental controls are easily bypassed.
(wiz.io) TeamPCP Supply Chain Attack: Compromise of DurableTask Python Packages Unleashes Multi-Cloud Credential Theft and Worm Propagation
New supply chain attack by TeamPCP: Compromised Microsoft DurableTask Python packages (v1.4.1–1.4.3) deploy rope.pyz malware targeting Linux. Credential theft (AWS/Azure/GCP/K8s/Vault) + lateral movement via AWS SSM/Kubernetes. Worm-like propagation with 5-target limit per host. C2: check.git-service.com, t.m-kosche.com.
In brief - TeamPCP compromised official DurableTask Python packages to distribute malware stealing cloud/K8s credentials and enabling lateral movement across multi-cloud environments. Immediate credential rotation and C2 blocking recommended.
Technically - Malware (rope.pyz) injected into __init__.py/task.py, persists via ~/.cache/.sys-update-check. Harvests credentials from env vars, .bash_history/.zsh_history, and password managers (Bitwarden/1Password/GPG). Uses AWS SSM (SendCommand) and kubectl exec for lateral movement. Exfil via /v1/models, /audio.mp3. IoCs: rope.pyz hashes, /tmp/managed.pyz, /tmp/rope-*.pyz. RSA Key B for encryption.
Source: https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack
[NOVA] - Ransomware Victim: Wysza Szkoa Biznesu National Louis University - https://www.redpacketsecurity.com/nova-ransomware-victim-wysza-szkoa-biznesu-national-louis-university/
#nova #dark_web #data_breach #OSINT #ransomware #threatintel #tor
[DRAGONFORCE] - Ransomware Victim: ZFG ALTHERM Engineering - https://www.redpacketsecurity.com/dragonforce-ransomware-victim-zfg-altherm-engineering/
#dragonforce #dark_web #data_breach #OSINT #ransomware #threatintel #tor
[SILENTRANSOMGROUP] - Ransomware Victim: Barclay Damon - https://www.redpacketsecurity.com/silentransomgroup-ransomware-victim-barclay-damon/
#silentransomgroup #dark_web #data_breach #OSINT #ransomware #threatintel #tor
[DRAGONFORCE] - Ransomware Victim: TAURUS INVESTMENT HOLDINGS - https://www.redpacketsecurity.com/dragonforce-ransomware-victim-taurus-investment-holdings/
#dragonforce #dark_web #data_breach #OSINT #ransomware #threatintel #tor
(aikido.dev) Malicious PyPI Packages Targeting Cloud-Native Environments: Analysis of the durabletask Backdoor Campaign
New PyPI supply chain attack deploys durabletask backdoor targeting cloud-native environments. Malicious versions (1.4.1–1.4.3) execute a dropper on import, fetching a second-stage infostealer/worm (rope.pyz) from check.git-service[.]com. Targets AWS, Kubernetes, password managers, and developer tools; exfiltrates via RSA-encrypted data to GitHub dead-drop (FIRESCALE). Includes disk-wiping capability triggered on Israeli/Iranian systems. Attributed to TeamPCP.
In brief - Three trojanized durabletask PyPI packages deliver a multi-stage infostealer/worm targeting cloud credentials and developer tools. The malware propagates in AWS/Kubernetes environments, exfiltrates via GitHub, and includes destructive capabilities. Immediate credential rotation and forensic analysis required.
Technically - The __init__.py dropper retrieves rope.pyz (Python zipapp) from C2, which performs evasion checks (locale, CPU, dependencies) before deploying an infostealer. Harvested data is AES-256-GCM encrypted with an attacker RSA key. C2 resilience via GitHub dead-drop (FIRESCALE) with RSA-signed commits. Worm propagates via AWS SSM/kubectl exec; persistence via systemd. Disk wiper (rm -rf /) triggered by geofencing.
Source: https://www.aikido.dev/blog/durabletask-package-compromised-mini-shai-hulud
Microsoft's durabletask package on PyPi Compromised. Mini Shai Hulud attacks again... again!
Three progressively compromised versions of a Microsoft-adjacent Python package deliver a full-featured infostealer that spreads through AWS and Kubernetes, exfiltrates every cloud credential it can find, and wipes disks on Israeli and Iranian systems
(safedep.io) Compromised durabletask PyPI Package: Multi-Cloud Credential Stealer with Worm Capabilities and Geopolitical Targeting
In brief - A sophisticated supply chain attack compromised the `durabletask` PyPI package (v1.4.1-1.4.3) using a stolen API token, deploying a multi-cloud credential stealer with worm capabilities. The malware targets AWS, Azure, GCP, Kubernetes, HashiCorp Vault, and password managers, exfiltrating sensitive data via encrypted channels. Geopolitical targeting includes destructive wiper routines for Israeli/Iranian systems and exclusion of Russian locales.
Technically - Attackers injected a dropper into `durabletask` to fetch `rope.pyz`, a stage-2 Python zipapp credential harvester. The malware steals credentials from cloud providers, Kubernetes, and local password managers, exfiltrating 90+ file types (SSH keys, Terraform state) via RSA-4096/AES-256-GCM encryption. Lateral movement occurs via AWS SSM SendCommand and `kubectl exec`. Persistence is established via a systemd backdoor. C2 infrastructure includes `check[.]git-service[.]com` and GitHub dead drops, with redundant exfiltration methods.
Source: https://safedep.io/malicious-durabletask-pypi-supply-chain-attack
Malicious durabletask on PyPI: Multi-Cloud Credential Stealer with Worm Capabilities
Three compromised versions of the Microsoft durabletask Python SDK (1.4.1, 1.4.2, 1.4.3) were published to PyPI, each downloading a stage-2 payload that steals credentials from AWS, Azure, GCP, Kubernetes, HashiCorp Vault, and password managers, then propagates to other hosts via SSM and kubectl exec.