Newsletters

China ramped up its name and shame cyber rhetoric this week when it identified and threatened four Taiwanese individuals it alleges are involved in cyber operations targeting the mainland. 

The four were named in a Chinese Ministry of State Security (MSS) Weixin post that published the names, passport-style photographs, birthdates, ID numbers and job titles within Taiwan's Information Communication Electronic Force Command (ICEFCOM). The unit was set up in 2017 and brings together the Ministry of National Defense's communication, cyber and electronic warfare units. 

This is the second time that the MSS has doxxed Taiwanese military hackers. In September of last year it published the identities of three other alleged cyber operators, but without some of the more granular identifying details.

China's main intelligence agency said on Monday that a branch of the Taiwanese military is behind an APT group known as PoisonIvy and GreenSpot.

China's Ministry of State Security (MSS) says a cyber warfare center (Network Environment Research and Analysis Center) inside the Taiwan Information, Communications, and Electronic Force Command (ICEFCOM) is behind the APT group's operations.

The MSS accused ICEFCOM of hacking Chinese government agencies, military targets, organizations in China's critical sectors, and private sector companies.

A threat actor compromised a popular GitHub Action and added malicious code that prints out secret tokens in project build logs.

The incident took place on Friday and impacted tj-actions/changed-files (hereinafter Changed-Files), an automated action used by over 23,000 GitHub projects.

The action works by analyzing pull requests and detecting what files. It is used in complex CI/CD pipelines to trigger other actions based on what files are changed. It is a basic but very important automation script, and the reason why it become one of GitHub's most popular actions.

The FBI says that cybercriminals are using free file format and document conversion tools to scrape personal data and deploy malware, and even ransomware.

The warning applies to online websites that convert files between different formats, but also apps that users download on their devices.

Reports of malware being added to a converted file have been around for over a decade, although no major security breach has ever been linked to a file converter.

We have consistently argued for TikTok to be banned in the US as it could be a powerful tool for the Chinese government to interfere with American political discourse. For US allies, a similar argument now applies to X. 

Commentators in Canada and the UK have already floated the idea of banning X. Meanwhile, in France, prosecutors have announced they've opened an investigation into X over alleged algorithmic bias. The investigation was launched after the prosecutor's office received complaints about X's interference in French democratic debate. 

X isn't TikTok, but in many ways it's actually worse. X actively promotes CEO Elon Musk's hard-right, fascist ideology, while interference on TikTok is mostly a theoretical risk. TikTok might be up to something and might improperly use its influence one day. Musk's interference on X, on the other hand, is as subtle as a brick to the head. 

A team of academics is conducting a large-scale public study to assess the real-world impact of the Rowhammer vulnerability.

First described in a 2014 research paper, Rowhammer is an attack that revolves around the concept of "hammering" a row of RAM memory cells with constant read or write operations. The constant process of turning memory cells on and off causes electrical interference on nearby memory cells, which academics say can be exploited to alter or leak memory data.

For the past decade, multiple teams of academics from all over the world have expanded the original attack to cover multiple technology platforms and optimize and speed up attacks, even showing theoretical web-based exploitation via JavaScript code and raw network packets. Researchers even bypassed some of the tech industry's Rowhammer protections.

Security researcher Tobia Righi has pulled off what appears to be the first successful passkey phishing attack.

The phishing vector existed solely in mobile browsers and has now since been patched. Security updates have rolled out for all major browsers, such as Chrome/Edge (October 2024), Firefox (February 2025), and Safari (January 2025)—see CVE-2024-9956.

Righi's attack revealed that passkeys are not perfect, but his research also showed that passkeys are far superior to the old credential pair and classic multi-factor authentication solutions.

The US Department of Justice has unsealed charges against twelve Chinese nationals linked to two cyber-espionage groups.

The DOJ DC office indicted Yin Kecheng and Zhou Shuai, two members of the APT27 group, also known as Emissary Panda, Lucky Mouse, and Silk Typhoon.

Officials say the two worked as contractors and conducted hacking operations on behalf of China's Ministry of Public Security (MPS) and Ministry of State Security (MSS) since at least 2011.

Starlink is being used to keep forced labour scam compounds in Myanmar online after their internet access was cut by Thai authorities, according to a report in Wired. 

We'd love Starlink's parent company SpaceX to do something about this, but we're not holding our breath.

In Southeast Asia hundreds of thousands of people are forced by organised criminal gangs to carry out so-called "pig butchering" scams. These modern slavery compounds cause immense human suffering and generate billions of dollars of annual revenue. 

A team of academics has found a way to remotely turn any Bluetooth-capable device into an AirTag tracker.

The technique is named nRootTag and abuses how Apple's FindMy network indexes AirTags and searches for tracked or lost devices.

In normal circumstances, when a user pairs an AirTag to their account, Apple takes the AirTag's Bluetooth signal and generates a cryptographic private-public key pair. When the user wants to find the AirTag's location, the FindMy network queries for the public key associated with that Bluetooth signal and then notifies the owner of its location.