Good morning. This is your security briefing for Saturday, October 11, 2025, covering 19 articles across threat research, nation-state activity, critical vulnerabilities, and industry developments. All attribution is by the article authors, and all article analysis is automated.
Security Blueprints reports that researcher Niels Provos analyzed 70 major data breaches and found that three security invariants—hardware second factors, egress control, and a third implied control—could have prevented over 65% of incidents including SolarWinds and the OPM breach.
A 15-year-old bug bounty hunter discovered an OData injection vulnerability in Microsoft's events platform that exposed entire event registration databases including names, phone numbers, emails, and addresses. Microsoft has fixed the initial vulnerability, though the researcher claims to have found a bypass.
InfoGuard Labs analyzed Microsoft Defender for Endpoint's cloud communication and discovered vulnerabilities including authentication bypass and command spoofing that could impede incident response in post-breach scenarios. Microsoft classified all findings as low severity after disclosure in July 2025.
OpenAI published its October 2025 report detailing threat actor activities and enforcement actions taken against accounts attempting to misuse AI systems for malicious purposes.
Hamid-K produced an analysis based on leaked internal documents from the Charming Kitten APT group, revealing sophisticated Iranian espionage operations primarily targeting entities in Israel and Jordan. The analysis examines the group's tactics and infrastructure based on materials leaked to the KittenBusters GitHub repository.
A technical analysis from Weixin Official Accounts Platform details OceanLotus APT32's use of the Havoc remote access trojan targeting Chinese government and critical infrastructure. The malware employs DLL hollowing and maintains persistence through registry modifications.
Internet Initiative Japan discovered a 2025 variant of Kivars malware used by BlackTech APT group targeting Japanese and Taiwanese organizations. IIJ released an open-source configuration extraction tool to aid incident response and threat hunting.
Aryaka Threat Research Labs reports that Vietnamese threat group BatShadow is conducting targeted operations against digital professionals using a tool called Vampire Bot, representing sophisticated tooling consistent with nation-state capabilities.
LegitSecurity discovered CamoLeak, a critical vulnerability in GitHub Copilot Chat with a CVSS score of 9.6 that enabled silent exfiltration of secrets and source code through a novel CSP bypass combined with remote prompt injection. GitHub has remediated the vulnerability by completely disabling image rendering in Copilot Chat.
Zero Day Initiative disclosed a directory traversal vulnerability in 7-Zip's handling of symbolic links in ZIP files that allows remote code execution. The flaw has been patched in 7-Zip version 25.00.
Huntress discovered active exploitation of an unauthenticated local file inclusion vulnerability in Gladinet CentreStack and Triofox products that enables remote code execution. Three customers have been impacted, and while no patch exists yet, a mitigation workaround is available.
NVIDIA released security updates for GPU Display Drivers addressing multiple high-severity vulnerabilities that enable privilege escalation and arbitrary code execution. Linux drivers are particularly affected, with significant impact on shared model training environments.
Socket's Threat Research Team discovered 175 malicious npm packages that received over 26,000 downloads and abused the unpkg CDN to host redirect scripts for a credential-phishing campaign targeting over 135 organizations.
GreyNoise reports that since October 8th, a coordinated botnet operation involving over 100,000 unique IP addresses from more than 100 countries has been targeting Remote Desktop Protocol services in the United States. The participating IPs share similar TCP fingerprints indicating centralized control.
eSentire has identified a new Rust-based malware called ChaosBot that leverages Discord for command and control communications, representing an emerging trend of threat actors using legitimate cloud platforms to evade detection.
Apple announces a major expansion of its Security Bounty program, doubling its top reward to $2 million for exploit chains matching sophisticated mercenary spyware capabilities. Since 2020, Apple has awarded over $35 million to 800 plus security researchers.
TechCrunch reports that NSO Group, the controversial Israeli spyware maker known for its Pegasus surveillance tool, has confirmed its acquisition by US-based investors. This represents a significant ownership change for one of the world's most prominent commercial spyware vendors.
The UK's National Cyber Security Centre published its weekly CTO summary covering cybersecurity developments and activities for the week ending October 12th.
Huntress reports a widespread compromise of SonicWall SSLVPN infrastructure, with over 100 accounts across 16 customer organizations impacted. This represents an active campaign targeting enterprise VPN infrastructure across multiple organizations.