A stored cross-site scripting (XSS) vulnerability in the Create Article function of MoonShine v3.12.3 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Link parameter.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-p632-58pp-c9xg: moonshine Stored Cross-Site Scripting Vulnerability in Create Article

A stored cross-site scripting (XSS) vulnerability in the Create Admin function of MoonShine v3.12.3 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter.

GHSA-rh9f-gr6q-mpc4: moonshine Stored Cross-Site Scripting Vulnerability in Create Admin

An arbitrary file upload vulnerability in MoonShine v3.12.4 allows attackers to execute arbitrary code via uploading a crafted SVG file.

GHSA-8xfq-7f6m-mpmf: MoonShine Arbitrary File Upload Vulnerability

MoonShine v3.12.5 was discovered to contain a SQL injection vulnerability via the Data parameter under the Blog module.

GHSA-9g9j-3w64-3cjh: MoonShine SQL Injection Vulnerability

A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.3.120 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.9 through 2024.Q1.19 allows an remote authenticated attacker to inject JavaScript through the message boards feature available via the web interface.

Liferay Portal is fixed on the master branch from commit c1b7c6b.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-22jp-w3cg-gvmm: Liferay Portal has Stored Cross-Site Scripting Vulnerability via Message Boards Feature

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allow any authenticated user to modify the content of emails sent through the calendar portlet, allowing an attacker to send phishing emails to any other user in the same organization.

Liferay Portal is fixed on the master branch from commit ff18e7d.

GHSA-7mxq-h2r7-h449: Liferay Portal Email Modification Vulnerability via Calendar Portlet

Citizen Lab’s new report, Hidden Links, uncovers a network of VPN providers like Turbo VPN and VPN Monster…

Citizen Lab’s new report, Hidden Links, uncovers a network of VPN providers like Turbo VPN and VPN Monster that are controlled by a single company and use dangerous security practices, including hard-coded passwords and weak encryption.

A new research paper titled “Hidden Links: Analyzing Secret Families of VPN Apps” has exposed how some popular Virtual Private Network (VPN) providers intentionally hide their true ownership and share security flaws.

The paper was co-authored by Benjamin Mixon-Baca, Jeffrey Knockel, and Jedidiah Crandall and published by Citizen Lab. Their study involved a deep analysis of apps from the Google Play Store, looking at everything from code similarities and network communications to business filings.

Researchers identified three families of VPNs that are secretly operated by the same entity. The most notable group includes Innovative Connecting, Autumn Breeze, and Lemon Clove, which have over 700 million downloads combined.

These companies distribute apps such as Turbo VPN, VPN Monster, and Snap VPN, and are linked to a Chinese national security firm, Qihoo 360, which has been sanctioned by the US government.

It is worth noting that Turbo VPN and Snap VPN were also named in the Tech Transparency Project’s June 2025 report, which cited national security concerns related to the possibility of these VPNs transferring US data to China.

A second family of providers, with over 380 million downloads, included MATRIX MOBILE PTE LTD and ForeRaya Technology Limited. A third family included Fast Potato Pte. Ltd and Free Connected Limited.

Further probing revealed that many of these VPNs use a specific technology called Shadowsocks, which was originally created to bypass internet censorship in China, not to provide privacy. The apps used outdated and unsafe methods for encryption, making them easier to hack. Some apps were also caught collecting a user’s location and sending it to a server, even though their privacy policies promised they wouldn’t.

Another key finding (PDF)was that these apps share not only code but also serious security vulnerabilities. For example, two of the families used a single, hard-coded password for their VPN apps. For your information, a hard-coded password is a secret key permanently built into an app, which means it’s the same for every single user. This allows anyone who discovers the password to decrypt the traffic of all users of that app, making their private information visible to eavesdroppers.

Researchers were able to use these shared passwords to confirm that different-looking VPN services were actually sharing the same servers. They also noted three other apps from VPN Super Inc., Miczon LLC, and Secure Signal Inc. that did not appear to have these hidden links.

Nonetheless, the shared security flaws mean that if one app in a family is vulnerable, so are all the others. These findings highlight that what appear to be distinct VPN apps are often part of a single, malicious network, putting millions of users at risk.

This is why it’s so important for users to know who is really behind their VPN service. The study emphasizes the critical need for transparency from VPN providers and calls on app stores like Google Play to improve how they verify the identity of app developers and audit app security.

Citizen Lab Reports Hidden VPN Networks Sharing Ownership and Security Flaws

Financial institutions like trading and brokerage firms are the target of a new campaign that delivers a previously unreported remote access trojan called GodRAT.
The malicious activity involves the "distribution of malicious .SCR (screen saver) files disguised as financial documents via Skype messenger," Kaspersky researcher Saurabh Sharma said in a technical analysis published today.
The

New GodRAT Trojan Targets Trading Firms Using Steganography and Gh0st RAT Code

Scam compounds in Cambodia, Myanmar, and Laos have conned people out of billions. New research shows they may be linked to child sextortion crimes too.

Over the past decade, organized crime gangs working out of Southeast Asia have scammed people out of billions of dollars. Operating giant scam compounds—where experts estimate around 200,000 victims of human trafficking have been forced to run scams 24 hours a day—the criminal enterprises have used an array of romance, cryptocurrency investment, and impersonation fraud to target thousands of people around the world. Now new research reveals that the already chilling scam compounds may have an even darker underbelly.

Nearly 500 reports linked to child sextortion made over a two-year period to the National Center for Missing and Exploited Children (NCMEC), a US child safety organization, have been tied back to scam compounds operating in Southeast Asia, according to new research exclusively shared with WIRED by the anti-slavery organization International Justice Mission. Another 18,000 child exploitation reports made to NCMEC also contain IP addresses used by devices at known scam compound locations, the research says.

At least 40 of 44 previously identified scam compounds in Cambodia, Myanmar, and Laos can be linked to the child sextortion reports, says Eric Heintz, a global analyst at the IJM who focuses on combatting forced scamming and was part of the team behind the study. Heintz says it is the “first clear evidence” that the forced scamming operations are “likely” linked to global instances of child sextortion. “It was surprising how widespread it was,” he says, adding that the wider data also indicated the locations of previously undiscovered scam compounds.

The findings directly linking scam compounds to the reports of sexual exploitation of children and young people come as sextortion cases have exploded in the past few years. Sextortion often involves criminals tricking someone into sharing sexually explicit images, which they then use to blackmail that person into making payments. While all cases of sextortion can be devastating, criminals have increasingly targeted children, and dozens of teenage boys have reportedly taken their own lives as a result. Many sextortion cases against children have been linked back to Nigerian Yahoo Boy scammers and other West African fraudsters.

The new IJM research, which was funded by child safety group Safe Online and the Thomson Reuters Social Impact Institute, reviewed data from more than 1.1 million “online enticement” incidents—including 3.1 million IP addresses—that tech companies reported to NCMEC between January 2022 and August 2024. Tech companies and electronic service providers in the US are required to report online child exploitation incidents to NCMEC’s CyberTipline.

The data was cross-referenced with IP addresses known to be used at the location of 27 scam compounds in Cambodia, 16 in Myanmar, and one in Laos. In total, 18,017 of the child exploitation reports to NCMEC contained IP addresses used at the scam compounds. To establish a stronger link between the potential sextortion cases and the scam centers, the IJM researchers also obtained mobile phone advertising data from data brokers and compared it against the data from NCMEC. Taking all of their analysis together, the IJM concluded that at least 493 of the reports made to the NCMEC are “likely” directly connected to forced scamming locations.

“There are limitations to what we can see with this data, but what we have so far is accurate,” says Heintz. “If anything, I think it’s undercounting the scale of the problem.”

The data the researchers obtained is only a snapshot of some alleged sextortion activity linked to scam centers. For instance, advertising industry mobile data is incomplete, the NCMEC data does not contain all possible reported sextortion cases, and tech companies reporting data to NCMEC likely skew toward American firms.

In its report, the IJM points to multiple reports of scam centers being linked to wider sextortion against adults. The report does not rule out that children are being deliberately targeted with sextortion crimes but notes that children may also get caught in schemes targeted at adults if they are using parents’ or other caregivers’ devices. Now that this research has demonstrated a link, the researchers emphasize that further research is needed to strengthen authorities’ understanding of the connection between child sextortion and scam compounds and determine whether children are being specifically targeted. NCMEC did not immediately respond to WIRED’s request for comment.

Often run by Chinese organized crime groups, scam compounds have exploded across Southeast Asia since roughly 2019. Criminals have trafficked thousands of people from more than 70 countries into the compounds, where they are usually held captive, have their passports taken away, and are forced to scam people online. If they refuse, they can be beaten and brutalized. Initially targeting Chinese speakers, the scam centers have deployed so-called “pig butchering” scams, alongside various other forms of investment and romance scams. With vast flows of illicit cash, the criminals have increasingly opened scam compounds in the Middle East, West Africa, Latin America, and Eastern Europe; they have targeted scams against people across the world and altered the ways they scam people.

“Scam centers and cyber-enabled fraud networks in Southeast Asia have rapidly diversified their business lines and scope of targeting, increasingly integrating sextortion as well as malware, deepfakes and pornography into their operations,” says John Wojcik, a senior threat researcher focusing on Asia at the cybersecurity firm Infoblox. An October 2024 report into the growth of scam compounds from the United Nations Office on Drugs and Crime, which was partially authored by Wojcik, who worked at the organization at the time, pointed to the increase in sextortion cases against adults and the use of AI.

Wojcik says the IJM research is consistent with reports from law enforcement agencies within Southeast Asia that there has been a “steady rise” in financial sextortion cases against children.

Hieu Minh Ngo, a reformed criminal hacker and now cybercrime investigator at the Vietnamese nonprofit scam-fighting organization Chongluadao, says he has seen sextortion efforts targeting young people and adults in Vietnam in the past few years, and these “operations trace back to scam compounds” located along the Vietnam-Cambodia border. “The tactics are consistent: Bad actors pose as attractive individuals on social media, build trust with victims, then coerce them into sharing sensitive images or videos,” Ngo says. The use of AI deepfakes is also increasing, he adds. “This trend shows clear links between regional scam compounds and organized sextortion targeting children and vulnerable populations.”

“It’s likely only a matter of time before they scale up operations in other parts of the world, as they have done in the past,” Wojcik says.

While some efforts have been made to shut down the operations of scam compounds—including thousands of alleged arrests, internet and power shutdowns, and sweeping political declarations—the scam compounds are still operational and appear to be continually expanding. Criminal organizations have flourished as a result of local corruption, weak enforcement of laws, and the ability to use Big Tech services to run scams, such as creating social media accounts that are used to trick people and using web hosting infrastructure to run scams.

Heintz says that governments and tech companies need to do more to tackle the many crimes linked to the scam compounds—including human trafficking, fraud, money laundering, and now, following the IJM’s research, evidence that children are likely being harmed. “Everyone is treating this just as a financial crime or a fraud crime, where the tools that everyone can use are limited to that type of crime,” Heintz says. “Now that you have internet crimes against children, then that should open the door for more tools that both tech companies and governments can use.”

493 Cases of Sextortion Against Children Linked to Notorious Scam Compounds

By addressing these overlooked risk vectors, organizations can continue leveraging GitHub's innovation while protecting against sophisticated supply chain attacks targeting interconnected software.

Latest News