Newsletters

A threat actor compromised a popular GitHub Action and added malicious code that prints out secret tokens in project build logs.

The incident took place on Friday and impacted tj-actions/changed-files (hereinafter Changed-Files), an automated action used by over 23,000 GitHub projects.

The action works by analyzing pull requests and detecting what files. It is used in complex CI/CD pipelines to trigger other actions based on what files are changed. It is a basic but very important automation script, and the reason why it become one of GitHub's most popular actions.

The FBI says that cybercriminals are using free file format and document conversion tools to scrape personal data and deploy malware, and even ransomware.

The warning applies to online websites that convert files between different formats, but also apps that users download on their devices.

Reports of malware being added to a converted file have been around for over a decade, although no major security breach has ever been linked to a file converter.

We have consistently argued for TikTok to be banned in the US as it could be a powerful tool for the Chinese government to interfere with American political discourse. For US allies, a similar argument now applies to X. 

Commentators in Canada and the UK have already floated the idea of banning X. Meanwhile, in France, prosecutors have announced they've opened an investigation into X over alleged algorithmic bias. The investigation was launched after the prosecutor's office received complaints about X's interference in French democratic debate. 

X isn't TikTok, but in many ways it's actually worse. X actively promotes CEO Elon Musk's hard-right, fascist ideology, while interference on TikTok is mostly a theoretical risk. TikTok might be up to something and might improperly use its influence one day. Musk's interference on X, on the other hand, is as subtle as a brick to the head. 

A team of academics is conducting a large-scale public study to assess the real-world impact of the Rowhammer vulnerability.

First described in a 2014 research paper, Rowhammer is an attack that revolves around the concept of "hammering" a row of RAM memory cells with constant read or write operations. The constant process of turning memory cells on and off causes electrical interference on nearby memory cells, which academics say can be exploited to alter or leak memory data.

For the past decade, multiple teams of academics from all over the world have expanded the original attack to cover multiple technology platforms and optimize and speed up attacks, even showing theoretical web-based exploitation via JavaScript code and raw network packets. Researchers even bypassed some of the tech industry's Rowhammer protections.

Security researcher Tobia Righi has pulled off what appears to be the first successful passkey phishing attack.

The phishing vector existed solely in mobile browsers and has now since been patched. Security updates have rolled out for all major browsers, such as Chrome/Edge (October 2024), Firefox (February 2025), and Safari (January 2025)—see CVE-2024-9956.

Righi's attack revealed that passkeys are not perfect, but his research also showed that passkeys are far superior to the old credential pair and classic multi-factor authentication solutions.

The US Department of Justice has unsealed charges against twelve Chinese nationals linked to two cyber-espionage groups.

The DOJ DC office indicted Yin Kecheng and Zhou Shuai, two members of the APT27 group, also known as Emissary Panda, Lucky Mouse, and Silk Typhoon.

Officials say the two worked as contractors and conducted hacking operations on behalf of China's Ministry of Public Security (MPS) and Ministry of State Security (MSS) since at least 2011.

Starlink is being used to keep forced labour scam compounds in Myanmar online after their internet access was cut by Thai authorities, according to a report in Wired. 

We'd love Starlink's parent company SpaceX to do something about this, but we're not holding our breath.

In Southeast Asia hundreds of thousands of people are forced by organised criminal gangs to carry out so-called "pig butchering" scams. These modern slavery compounds cause immense human suffering and generate billions of dollars of annual revenue. 

A team of academics has found a way to remotely turn any Bluetooth-capable device into an AirTag tracker.

The technique is named nRootTag and abuses how Apple's FindMy network indexes AirTags and searches for tracked or lost devices.

In normal circumstances, when a user pairs an AirTag to their account, Apple takes the AirTag's Bluetooth signal and generates a cryptographic private-public key pair. When the user wants to find the AirTag's location, the FindMy network queries for the public key associated with that Bluetooth signal and then notifies the owner of its location.

The Trump administration has sent memos to CISA and US Cyber Command instructing cybersecurity staff to stop treating Russian hackers as a threat and halt operations targeting Russia.

Both orders were issued around two weeks ago but were only first reported publicly on Friday.

In the first order, Defense Secretary Pete Hegseth ordered Cyber Command to shut down any operations targeting Russia.

Israeli hacking tools maker Cellebrite has banned the Serbian government from using its products, citing misuse of its technology.

The company's decision comes after an Amnesty International report last December accused Serbian law enforcement of using Cellebrite tools to unlock phones and install spyware on the devices of anti-government dissidents and journalists.

Amnesty says this usually happened while victims were being interrogated by police. Their phones were taken away and then returned to them with spyware installed.