Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity threats and vulnerabilities that continue to challenge our digital landscape. Today's stories weave a narrative of breaches, vulnerabilities, and the ever-evolving tactics of cyber adversaries.

In a startling revelation, Ribbon Communications, a key player in telecom infrastructure, has uncovered a breach orchestrated by nation-state hackers, underscoring the relentless pursuit of critical infrastructure by sophisticated attackers. Meanwhile, the Canadian Centre for Cyber Security reports hacktivists targeting water and energy facilities, raising alarms about the security of essential services.

On the software front, a WordPress security plugin flaw has exposed private data, while GitLab addresses a vulnerability that could allow project runner hijacking. These incidents highlight the pressing need for vigilance in software security.

In the realm of insider threats, former ASD employee Peter Williams pleads guilty to selling exploits to Russia, a stark reminder of the dangers posed by those with access to sensitive information. Simultaneously, a massive leak of 183 million email passwords discovered by Troy Hunt serves as a cautionary tale about the ongoing threat of data breaches.

As we delve deeper, we uncover malicious NPM packages with invisible dependencies, a new Atroposia RAT on the dark web, and a novel AI-targeted cloaking attack that tricks AI crawlers into citing false information. These developments illustrate the sophistication and creativity of modern cyber threats.

Finally, we explore vulnerabilities within GIMP's file parsing, where multiple flaws could lead to remote code execution, emphasizing the critical importance of robust validation in software development.

Stay informed, stay secure, and join us as we navigate the complex world of cybersecurity in today's edition of Secret CISO.

Data Breaches

1. US company with access to biggest telecom firms uncovers breach by nation-state hackers: Ribbon Communications, a Texas-based company, discovered a breach by nation-state hackers. The breach involved unauthorized access to systems that facilitate voice and data communications between major telecom firms. This incident highlights the ongoing threat of sophisticated cyberattacks targeting critical infrastructure. Source: Reuters.
2. WordPress security plugin exposes private data to site subscribers: A vulnerability in the Anti-Malware Security and Brute-Force Firewall plugin for WordPress, installed on over 100,000 sites, allowed unauthorized access to private data. This flaw could potentially expose sensitive information to site subscribers, emphasizing the need for robust security measures in widely used plugins. Source: Bleeping Computer.
3. Northern Montana Health Care alerts patients about data breach: Northern Montana Health Care (NMHC) informed patients of a data breach involving their business partner. The breach potentially exposed sensitive patient information, prompting NMHC to take measures to mitigate the impact and prevent future incidents. Source: Montana Right Now.
4. Canada says hacktivists breached water and energy facilities: The Canadian Centre for Cyber Security reported multiple breaches of critical infrastructure systems by hacktivists. These breaches targeted water and energy facilities, raising concerns about the security of essential services and the potential for disruption. Source: Bleeping Computer.
5. EY exposed 4TB SQL backup file to open web, researchers say: Researchers revealed that EY accidentally exposed a 4TB SQL backup file to the open web. This incident underscores the risks associated with improper data handling and the importance of securing sensitive information to prevent unauthorized access. Source: The Register.

Security Research

1. Peter Williams, Ex-ASD, Pleads Guilty to Selling Eight Exploits to Russia: Former ASD employee Peter Williams has admitted to selling eight critical exploits to Russia, raising significant concerns about insider threats and national security. This case highlights the potential risks posed by insiders with access to sensitive information. Source: Risky Biz News.
2. 183 million email passwords leaked: Check yours now: Security researcher Troy Hunt discovered a massive 3.5-terabyte dataset containing 183 million email passwords leaked online. The credentials were reportedly obtained through infostealer malware, emphasizing the ongoing threat of data breaches. Source: CyberGuy.
3. Malicious NPM Packages Contain Invisible Dependencies: Security researcher Koi Oren identified malicious NPM packages that include invisible dependencies, which are fetched during installation. This discovery underscores the importance of scrutinizing package dependencies to prevent supply chain attacks. Source: Dark Reading.
4. New Atroposia RAT Surfaces on Dark Web: Security researchers at Varonis have uncovered a new remote access trojan (RAT) named Atroposia, which uses encrypted command channels to evade detection. This development highlights the evolving sophistication of malware threats. Source: Infosecurity Magazine.
5. New AI-Targeted Cloaking Attack Tricks AI Crawlers Into Citing Fake Info as Verified Facts: Cybersecurity researchers have identified a new cloaking attack that deceives AI crawlers, such as those used by OpenAI's ChatGPT Atlas, into citing false information as verified facts. This raises concerns about the integrity of AI-generated content. Source: The Hacker News.

Top CVEs

1. GitLab Project Runner Hijacking Vulnerability
2. GitLab has addressed a vulnerability in its Enterprise Edition affecting versions from 17.1 before 18.3.5, 18.4 before 18.4.3, and 18.5 before 18.5.1. This flaw could allow an authenticated attacker with specific permissions to hijack project runners from other users, potentially leading to unauthorized access and control over project resources. The issue has been resolved in the latest updates. Source:
3. CVE-2025-11702
4. GIMP ILBM File Parsing Vulnerability
5. A stack-based buffer overflow vulnerability in GIMP's ILBM file parsing allows remote attackers to execute arbitrary code. Exploitation requires user interaction, such as visiting a malicious page or opening a malicious file. The flaw arises from improper validation of user-supplied data length before copying it to a buffer. Source:
6. CVE-2025-10925
7. GIMP FF File Parsing Integer Overflow
8. This vulnerability in GIMP's FF file parsing can lead to remote code execution due to an integer overflow caused by insufficient validation of user-supplied data. User interaction is necessary for exploitation, such as opening a malicious file. The flaw allows attackers to execute code within the current process context. Source:
9. CVE-2025-10924
10. GIMP ICNS File Parsing Out-Of-Bounds Write
11. An out-of-bounds write vulnerability in GIMP's ICNS file parsing can be exploited by remote attackers to execute arbitrary code. The issue stems from inadequate validation of user-supplied data, leading to writing past the buffer's end. Exploitation requires user interaction, such as opening a malicious file. Source:
12. CVE-2025-10920
13. GIMP WBMP File Parsing Integer Overflow
14. This integer overflow vulnerability in GIMP's WBMP file parsing allows remote attackers to execute arbitrary code. The flaw results from insufficient validation of user-supplied data, leading to an overflow before buffer allocation. Exploitation requires user interaction, such as opening a malicious file. Source:
15. CVE-2025-10923

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is as dynamic as ever, with threats evolving and vulnerabilities emerging across various sectors. From nation-state hackers breaching telecom systems to vulnerabilities in popular WordPress plugins, the need for vigilance and robust security measures is more pressing than ever.

We've seen how breaches can impact critical infrastructure, as highlighted by the incidents in Canada and the exposure of sensitive patient data in Montana. These stories serve as a stark reminder of the importance of safeguarding our digital assets and the potential consequences of lapses in security.

Meanwhile, the discovery of malicious NPM packages and the emergence of new malware like the Atroposia RAT underscore the sophistication of cyber threats today. The AI-targeted cloaking attack further illustrates the challenges we face in maintaining the integrity of information in an increasingly AI-driven world.

In light of these developments, it's crucial to stay informed and proactive in our cybersecurity efforts. Sharing knowledge is a powerful tool in our collective defense against cyber threats. If you found today's insights valuable, please consider sharing this newsletter with your friends and colleagues. Together, we can build a more secure digital future.

Thank you for joining us today. Stay safe, stay secure, and we'll see you in the next edition of Secret CISO.