Welcome to today's edition of Secret CISO, where we unravel the intricate web of cybersecurity threats and vulnerabilities that are shaping our digital landscape. In this issue, we delve into a series of alarming data breaches that have left both public and private sectors reeling. From Cornwell Quality Tools to Salesloft, sensitive information has been laid bare, highlighting the urgent need for robust data protection strategies.

Meanwhile, the tech giant Meta finds itself under fire as whistleblowers accuse it of prioritizing profits over child safety, a revelation that has ignited a firestorm of public and legislative scrutiny. As if that weren't enough, Anthropic's new AI feature, Claude, is under the microscope for its potential security risks, raising questions about the responsibilities of AI developers in safeguarding user data.

In the realm of vulnerabilities, we spotlight several critical CVEs, including a Server-Side Request Forgery in LiteSpeed Cache and a deserialization flaw in Microsoft's HPC Pack, each posing significant threats to system integrity and data confidentiality. These vulnerabilities serve as stark reminders of the ever-present risks lurking in our software ecosystems.

Finally, we explore the latest security issues affecting APIs and npm packages, with incidents like the Prebid Universal Creative API malware attack and the DuckDB npm package compromise underscoring the importance of vigilance in software supply chains. As we navigate these turbulent waters, today's newsletter aims to equip you with the insights needed to fortify your defenses against the relentless tide of cyber threats.

Data Breaches

1. Cornwell Quality Tools Data Breach: Edelson Lechtzin LLP is investigating claims on behalf of Cornwell Quality Tools customers following a data breach that potentially exposed personal information, including names, Social Security numbers, and financial account details. Source: WJBF
2. Salesloft Data Breach: A significant breach at Salesloft exposed sensitive data of over 700 firms, including major companies like Cloudflare and Palo Alto Networks. The breach occurred after hackers exploited OAuth tokens. Source: SecurityBrief Asia
3. Pierce County Library Data Breach: Over 300,000 personal records were compromised in a data breach at the Pierce County Public Library System, leading to a lawsuit. The breach exposed sensitive personal information, sparking significant concern among affected individuals. Source: KOMO News
4. New York Blood Center Enterprises Data Breach: A ransomware attack in January 2025 led to a data breach at New York Blood Center Enterprises, compromising sensitive information. The breach highlights the ongoing threat of ransomware to healthcare organizations. Source: TechTarget
5. Somerset County Children and Youth Services Department Data Breach: A data breach at this department exposed personal information, including names, dates of birth, and Social Security numbers, affecting numerous individuals. The incident underscores the vulnerabilities in public sector data management. Source: HIPAA Journal

Security Research

1. Mark Zuckerberg's Meta 'cannot be trusted to tell the truth' about child safety: whistleblowers: Two former researchers testified before a Senate panel, accusing Meta Platforms of prioritizing profit over child safety on its virtual-reality platform. They claimed that Meta systematically suppressed internal research highlighting serious child safety risks. This testimony has sparked significant public and legislative scrutiny. Source: NY Post
2. Claude's new AI file creation feature ships with deep security risks built in: Ars Technica reports on the security risks associated with Anthropic's new AI feature, Claude. Experts criticize the company for shifting the responsibility of monitoring potential data leaks to users, highlighting the need for more robust security measures in AI development. Source: Ars Technica
3. Call audio from gym members, employees in open database: A security researcher discovered an unsecured AWS repository managed by HelloGym, exposing call audio from gym members and employees. This incident underscores the importance of securing cloud storage to protect sensitive data from unauthorized access. Source: The Register
4. Salty2FA Takes Phishing Kits to Enterprise Level: Dark Reading highlights how cybercriminals are using advanced phishing kits, such as Salty2FA, to target enterprises. These kits mimic legitimate business strategies, making them more effective and dangerous, emphasizing the need for enhanced cybersecurity measures. Source: Dark Reading
5. Anthropic Details AI-Powered Ransomware Program Built By Novices and Sold as a Service: Anthropic has disclosed several AI-powered security threats, including a ransomware development operation accessible to non-technical users. This revelation highlights the growing accessibility of sophisticated cyber tools, raising concerns about the democratization of cybercrime. Source: Cloud Wars

Top CVEs

1. CVE-2025-47437: Server-Side Request Forgery (SSRF) vulnerability in LiteSpeed Technologies LiteSpeed Cache allows attackers to exploit the server's trust in external systems, potentially leading to unauthorized data access or manipulation. This vulnerability affects multiple versions of LiteSpeed Cache. Source: Vulners.
2. CVE-2025-39541: A Missing Authorization vulnerability in Roland Murg WP Simple Booking Calendar could allow unauthorized users to access or modify booking data, posing a significant risk to the confidentiality and integrity of the calendar's information. Source: Vulners.
3. CVE-2025-52915: The K7RKScan.sys driver in K7 Security Anti-Malware suite has a flaw that allows admin-privileged users to send crafted IOCTL requests, potentially terminating protected processes. This could lead to denial of service by disrupting critical services. Source: Vulners.
4. CVE-2025-54236: Adobe Commerce is affected by an Improper Input Validation vulnerability, which could be exploited to achieve session takeover. This increases the risk to confidentiality and integrity of user sessions, without requiring user interaction. Source: Vulners.
5. CVE-2025-55232: A deserialization vulnerability in Microsoft High Performance Compute Pack (HPC) allows unauthorized code execution, posing a severe threat to system integrity and potentially allowing attackers to gain control over affected systems. Source: Vulners.

API Security

1. Prebid Universal Creative (PUC) API Security Issue: Prebid Universal Creative (PUC), a JavaScript API for rendering multiple formats, was briefly affected by crypto-related malware. Users of PUC 1.17.3 or the latest version were impacted, including those using the popular jsdelivr hosting. The maintainers have unpublished version 1.17.3, and users are advised to transition to version 1.17.2 to avoid similar attacks. Source: CVE-2025-59039
2. Infrahub API Token Vulnerability: Infrahub, a central hub for managing data, templates, and playbooks, had a bug in its authentication logic that caused deleted or expired API tokens to be considered valid. This issue was fixed in versions 1.3.9 and 1.4.5. Users are advised to update to these versions or deactivate accounts associated with deleted tokens as a workaround. Source: CVE-2025-59036
3. DuckDB NPM Packages Compromised: The DuckDB distribution for Node.js on npm was compromised with malware, affecting four packages with malicious code targeting cryptocoin transactions. The affected versions were deprecated, and users are advised to upgrade to versions 1.3.4, 1.30.0, or higher to protect themselves. Source: CVE-2025-59037
4. listmonk CSRF to XSS Chain Vulnerability: A vulnerability in listmonk allows Cross-Site Request Forgery (CSRF) to be chained with Cross-Site Scripting (XSS), potentially leading to admin account takeover. The lack of nonce validation in HTTP requests can be exploited to execute JavaScript code in the victim's browser, compromising the web application. Source: GHSA-RF24-WG77-GQ7W
5. CoreDNS DNS Cache Pinning Vulnerability: CoreDNS's etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling cache pinning for extended periods. This can cause a denial of service for DNS updates/changes to affected services. Source: GHSA-93MF-426M-G6X9

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the digital landscape is fraught with challenges and opportunities for those of us in the cybersecurity field. From data breaches affecting major organizations and public institutions to vulnerabilities in widely-used software, the threats are as varied as they are persistent. Each story we shared today underscores the critical importance of vigilance, proactive measures, and continuous learning in safeguarding our digital assets.

Whether it's the exposure of sensitive data at Cornwell Quality Tools and Salesloft, or the vulnerabilities in technologies like LiteSpeed Cache and Adobe Commerce, these incidents remind us that cybersecurity is a shared responsibility. It's not just about protecting our own systems but also about understanding the broader ecosystem in which we operate.

We hope you found today's insights valuable and that they serve as a catalyst for discussions within your teams and organizations. If you believe others in your network could benefit from staying informed about the latest cybersecurity developments, please share this newsletter with your friends and colleagues. Together, we can build a more secure digital world.

Thank you for being a part of the Secret CISO community. Stay vigilant, stay informed, and we'll see you in the next edition!