SecurityWeek’s weekly cybersecurity information roundup provides a concise overview of necessary developments that won’t obtain full standalone protection however stay related to the broader risk panorama.
This curated abstract highlights key tales throughout vulnerability disclosures, rising assault strategies, coverage updates, trade experiences, and different noteworthy occasions to assist readers keep a well-rounded consciousness of the evolving cybersecurity setting.
Listed here are this week’s highlights:
10-year-old phpBB flaw allows session hijacking
Researchers uncovered a essential authentication bypass in phpBB variations as much as 3.3.16 and 4.0.0-a2. A single unauthenticated HTTP request can impersonate any consumer, together with admins, exposing personal messages and discussion board content material, and offering full administrative management. phpBB customers ought to improve instantly to three.3.17 or the most recent grasp department. The difficulty, reported through HackerOne, obtained a patch inside days, however hundreds of energetic boards stay uncovered.
Velvet Ant maintained decade-long stealth in air-gapped essential infrastructure
China-nexus actor Velvet Ant compromised a corporation’s segregated community beginning round 2016. It chained internet-facing footholds, Nginx/FastCGI proxies, and backdoored PAM/OpenSSH elements for credential theft and chronic entry. The group deployed variants of GS-Netcat, SOCKS5 proxies, and 9 pam_unix.so backdoors throughout hosts. Remediation proved complicated.
MaXSS and Spyder flaws expose 10 million Chrome customers to hacking
Essential vulnerabilities in SiderAI (Spyder) and MaxAI (MaXSS) agentic side-panel Chrome extensions can permit malicious web sites to set off arbitrary extension actions, together with hidden tab screenshots, AI reminiscence dumps, and potential file entry. With over 10 million mixed installs and no vendor response, the problems allow full browser session compromise and account takeovers with out consumer interplay. Customers ought to take away the extensions till fastened.
AWS unveils Continuum
AWS has introduced a brand new AI-powered instrument designed to assist organizations uncover, prioritize, validate, and resolve vulnerabilities. Accessible in gated preview, Continuum takes findings from current instruments and its personal scanning, prioritizing them based mostly on exploitability within the consumer’s personal setting.
1.2 million WordPress websites compromised in OptinMonster provide chain assault
Attackers injected malicious JavaScript into Superior Motive’s OptinMonster, TrustPulse, and PushEngage WordPress plugin CDN scripts. The payload prompts for logged-in admins, creating rogue administrator accounts and a hidden backdoor plugin. The breach stemmed from a compromised UpdraftPlus occasion and CDN key. The provision chain assault is believed to have hit greater than 1.2 million WordPress websites.
FTC says imposter scams value Individuals $3.5 billion in 2025
The FTC reported imposter scams as the commonest fraud class, with losses almost tripling since 2020. Financial institution and authorities impersonation schemes drove the majority of the harm, typically through faux safety alerts urging cash transfers. General fraud losses hit a document $16 billion. The company continues enforcement below its Impersonation Rule and helps public consciousness campaigns.
US DOT closes investigation into Delta’s 2024 CrowdStrike outage response
The Division of Transportation ended its probe into Delta’s extended restoration from the world CrowdStrike incident with out penalties. Investigators discovered the airline supplied satisfactory refunds, baggage assist, and help for passengers with disabilities. This aligns with the present administration’s shift away from sure Biden-era client safety enforcement approaches.
JetBrains Market plugins steal developer AI keys
At the least 15 malicious AI coding assistant plugins, printed within the JetBrains Market below varied vendor accounts, exfiltrate OpenAI, DeepSeek, and comparable API keys. The plugins have racked up almost 70,000 installs whereas functioning as marketed. Keys are despatched in plaintext to a hardcoded attacker server. The plugins additionally seem to resell stolen entry to paying customers.
Apple releases Beats firmware fixing unauthenticated mic entry
Beats Studio Buds firmware replace 1B211 patches CVE-2025-20701, which allowed close by attackers to pay attention through the microphone on unpaired gadgets actively looking for connections. Updates apply robotically when paired with Apple gadgets. CVE-2025-20701 is one among three Bluetooth safety points disclosed final 12 months, which have been discovered to affect gadgets from a number of main distributors.
Popa botnet tied to Israeli proxy supplier
Researchers linked the massive Popa Android TV field botnet — used for residential proxy visitors in advert fraud and scraping — to NetNut, operated by publicly traded Israeli firm Alarum Applied sciences. Researchers mentioned an SDK turns compromised streaming gadgets into persistent proxies. The operation includes hundreds of thousands of IPs day by day and raises issues about native community publicity and ties to knowledge scraping. NetNut and Alarum have disputed the allegations calling them “demonstrably inaccurate assertions and flawed deductions reasonably than verified information.”
GCP Config Connector allows org-wide IAM proprietor takeover
A confused deputy vulnerability in Config Connector lets any Kubernetes namespace consumer escalate to GCP Group Proprietor by submitting a malicious IAMPolicyMember. Google acknowledged the difficulty internally as P1/S1 however later categorized it as “working as meant” and left it unpatched. The bypass impacts organizations utilizing the service for organization-level administration.
ShinyHunters leaks Knicks and MSG expertise and buyer knowledge
Hackers printed Madison Sq. Backyard knowledge, together with particulars on Knicks-related “expertise” (gamers, coaches, celebrities) with danger assessments, addresses, and get in touch with information, together with buyer correspondence. The dump follows a June 5 breach. ShinyHunters continues its sample of public leaks to strain victims.
Associated: In Different Information: Google Safety Layoffs, AudiA6 Takedown, $400 Million Coupang Positive
Associated: In Different Information: Anthropic Maps AI Threats, Unpatched Comodo Flaw, Palantir Chief Eyed for CISA
![How creators and entrepreneurs are utilizing AI to hurry up & succeed [data]](https://blog.aimactgrow.com/wp-content/uploads/2025/06/Untitled20design-Apr-07-2023-08-24-35-4586-PM-120x86.png)
