Top news stories this week
- UnAppy. AI vendor breach causes trouble for app developer Vercel.
- Incarcerated spider. Scattered Spider hacker pleads guilty in major US cybercrime case.
- Mythos mishap. Unauthorised access to Anthropic’s AI tool gained via third party.
- Plunder down under. Australian public servant arrested over theft of government documents.
- Don't call me maybe. ClickFix and Microsoft Teams used in social engineering attacks.
- ANTS under attack. French government body responsible for personal documents suffers data breach.
1. AI vendor breach causes trouble for app developer Vercel
Cloud app development giant Vercel confirmed a data breach after hackers breached Context AI, a third-party application, and stole OAuth tokens belonging to its users, including a Vercel employee. Using that token to pivot through the employee's Google Workspace account, the attackers accessed Vercel's internal environment and stole access keys and source code.
So what?
Organisations should enforce an OAuth allowlist, permitting employees to connect only pre-vetted, IT approved applications. Additionally, all environment variables and secrets should be encrypted by default.
[Researcher: Aditya Ganjam Mahesh]
2. Scattered Spider hacker pleads guilty in major US cybercrime case
Scottish national Tyler Robert Buchanan, a key member of the Scattered Spider threat group, has pleaded guilty to orchestrating large-scale SMS phishing and SIM‑swapping attacks in a US federal court. The case highlights Scattered Spider’s reliance on social engineering rather than malware, and Buchanan now faces the prospect of more than 20 years in prison.
So what?
The guilty plea shows cross‑border cyber enforcement is working, but decentralised groups such as Scattered Spider are able to operate for years before arrests translate into real disruption.
[Researcher: Jenny Eysert]
3. Unauthorised users access Mythos preview via third party vendor environment
A small group of unauthorised users reportedly accessed Claude Mythos, an unreleased AI tool created by Anthropic with advanced cyber security capabilities, by combining insider knowledge and guessing the online location of the model using information exposed in a third party data breach.
So what?
Even less advanced attack vectors pose significant risks. Restricting access to high-capability AI models requires supply chain security and active access monitoring
[Researcher: Steve Ross]
4. Australian public servant arrested over theft of government documents
An individual who worked in procurement within the largest treasury department in Australia has been arrested after allegedly transferring 5,600 confidential files onto an external server. These documents contained confidential commercial and financial information including current and previous government negotiations with the private sector.
SO WHAT?
Companies should ensure relevant and proportionate controls are in place, including download site access restriction policies, USB download controls and appropriate network segmentation, supplemented by ongoing awareness training regarding the handling of data.
[Researcher: Lester Lim]
5. ClickFix and Microsoft Teams used in social engineering campaigns
Security researchers have warned of a ClickFix campaign targeting macOS devices to harvest sensitive data. The attack involves displaying a fake CAPTHA prompt to trick the user into running malicious code which installs infostealer malware. Separately, Microsoft Teams vishing campaigns remain a threat, which involves impersonation of IT support staff to gain initial access by persuading users to grant remote access.
So What?
Social engineering is a common initial access vector, highlighting the need for employee awareness and training.
[Researcher: Lena Krummeich]
6. French government body responsible for personal documents suffers data breach
The French National Agency for Secure Documents (ANTS), has suffered a major data breach impacting 11.7 million accounts. The agency is responsible issuing personal documents such as passports, national ID cards, driver’s licenses, and immigration documents. A threat actor using the alias breach3d claimed responsibility on hacking forums, alleging the theft of 19 million records, which they are offering for sale.
SO WHAT?
Individuals should be vigilant when interacting with suspicious correspondence from companies in the aftermath of a data breach to guard against phishing attacks.
[Researcher: Jack Woods]
-1-1.jpeg?width=121&height=121&name=MicrosoftTeams-image%20(11)-1-1.jpeg)
