Good morning. This is your security briefing for Thursday, October 16, 2025, covering seven critical developments from the past day. All attribution is by the article authors, and all article analysis is automated.
Koi reports that the threat actor TigerJack has deployed at least 11 malicious VS Code extensions across multiple marketplaces, infecting over 17,000 developers. These extensions steal source code in real-time, mine cryptocurrency, and establish remote backdoors, with malicious versions still active in the OpenVSX marketplace despite removal from Microsoft's official marketplace.
Microsoft has released SecRL, an open-source benchmark for evaluating Large Language Model agents on cyber threat investigation tasks. The framework tests LLM capabilities in analyzing security incidents and performing investigative workflows typical of security operations centers.
Denis Petrov reports that Chinese state-sponsored hackers are blamed for a severe security breach at F5, a major US cybersecurity and networking firm. The incident represents a significant targeting of critical US cyber infrastructure by nation-state actors.
Prelude Security has published a technical analysis of Pointer Authentication Code, an anti-exploit memory corruption defense mechanism available on ARM architectures. PAC signs pointers by storing cryptographic signatures in unused bits of 64-bit addresses, enabling runtime validation of code execution and data access.
Wiz Research discovered over 550 leaked secrets across 500-plus VSCode and Open VSX marketplace extensions, including access tokens that could enable attackers to push malicious updates to 150,000 users. Wiz collaborated with Microsoft to implement platform-level guardrails and notify affected publishers.
Abdul presents a proactive threat hunting methodology for detecting potential compromises related to F5 security incident K000154696. The framework focuses on detecting unauthorized access to F5 management APIs, configuration exfiltration, and post-exploitation activities using Sigma rules with low false-positive optimization.
Trend Research reports that attackers exploited Cisco SNMP vulnerability CVE-2025-20352 to deploy Linux rootkits on unprotected network devices in Operation Zero Disco. The campaign enabled remote code execution, persistent unauthorized access through universal passwords, and memory space hooks while evading endpoint detection on older Linux systems.