Cybersecurity firm Ontinue reveals how the open-source tool Nezha is being used as a Remote Access Trojan (RAT) to bypass security and control servers globally.

A popular software tool used by website owners to check their server’s health is now being used by hackers to take complete control of computers. Researchers at the cybersecurity firm Ontinue have discovered that an open-source tool called Nezha is being repurposed as a Remote Access Trojan (RAT). This allows outsiders to sneak into a system and stay there without being noticed.

****The Invisible Threat****

For your information, Nezha was originally designed as a helpful tool for the IT community and has gained nearly 10,000 stars on GitHub. It acts like a dashboard for a car, showing how much memory a server is using and if it’s running smoothly.

Because it is legitimate software used by thousands of professionals, security apps usually ignore it. According to researchers, the software shows “0/72 detections” on the VirusTotal scanner. In short, it isn’t actually malware; it’s just a normal tool being exploited by hackers.

****Ready to Use “Out of the Box”****

Further investigation revealed that Nezha is particularly dangerous because it is “full-featured out of the box.” Unlike many hacking tools that require complex setup, Nezha works immediately after installation, and an attacker “doesn’t need to compile custom payloads” or link multiple tools together to get what they want. It is a one-stop shop for taking over a device.

Once this “agent” is active, it gives the attacker “SYSTEM/root level access,” which is the highest permission a computer has. With this power, they can manage files, run commands, and even open an interactive web terminal to watch the system in real-time. Furthermore, it works on almost anything from Windows and Linux to macOS and even home internet routers. This wide “cross-platform support” means a hacker can manage hundreds of stolen devices from a single dashboard.

Nezha’s central dashboard shows its client-server model (Source: Ontinue)

****Blending In to Stay Hidden****

As we know it, most hackers have to work hard to hide their tracks. However, Nezha has a built-in advantage: its internet traffic looks completely normal. The tool communicates using standard web protocols that “resemble normal monitoring telemetry” rather than obvious hacking signals. Without inspecting the destination, this network activity doesn’t stand out at all.

This isn’t the first time Nezha has been spotted in the wrong hands. Back in October 2025, another firm, Huntress, found similar attacks targeting organisations across East Asia, including Japan and South Korea.

In this latest case, Ontinue’s team noted that the hackers used a script containing Simplified Chinese messages, suggesting a native speaker. They also discovered the hacker’s command centre was hosted on Alibaba Cloud services in Japan.

The map shows where Nezha connections are most active (Source: Ontinue)

To stay safe, experts suggest that companies should proactively hunt for Nezha on their systems. If it hasn’t been officially approved by the IT department, its presence is a major red flag.

Sharing their insights with Hackread.com, industry experts noted that this incident is part of a broader trend in digital warfare. Mayuresh Dani, Security Research Manager at Qualys Threat Research Unit, explained that this reflects a strategy where attackers “systematically abuse legitimate software to achieve persistence and lateral movement while evading signature-based defences.”

Dani warned that because Nezha provides such high-level access, it helps attackers “cut development time to reliably execute remote commands” and access files. He urged organisations to “stop viewing tools as either malicious or benign, and instead focus on usage patterns and context.”

Adding to this, John Gallagher, Vice President of Viakoo Labs at Viakoo, noted that the situation is a call for a stronger “Defence in Depth” approach. He pointed out that while agent-based tools like Nezha are useful, they inherently carry more risk because they live directly on the device.

“There needs to be more analysis on the who, what, and why,” Gallagher stated, adding that it is particularly “concerning how the US accounts for the most common location for this running on the internet,” said Gallagher.

Hackers Abuse Popular Monitoring Tool Nezha as a Stealth Trojan

There’s a new era for training and development programs, making the LMS (Learning Management System) cloud model the…

There’s a new era for training and development programs, making the LMS (Learning Management System) cloud model the only realistic option to consider. This fresh approach to teaching enables scalable, flexible, and accessible learning experiences through a cloud-based LMS. As the name suggests, a cloud-based LMS is flexible in nature, allowing companies to establish a more dynamic learning approach.

****The Basics of an LMS Cloud Model****

One of the benefits of hosting your LMS in the cloud is that users can access learning resources anytime, anywhere. Unlike a real-world session, the fluidity that comes with MOOCs (Massive Open Online Courses) enables learners to revisit content at their own pace, taking learning from passivity to participation.

This cloud model is designed to result in lower spending on physical infrastructure and reduced maintenance costs. An LMS cloud offers businesses an elastic environment that can support ebbs and flows in staffing and training. With an LMS cloud, organisations gain a scalable platform that grows in tandem with their workforce and training needs. 

****Scalability: Meeting Growing Demands****

The first and most important benefit of a cloud LMS is its scalability. As your organisation grows, you can scale up the system to accommodate more users with minimal effort. It is this flexibility that enables even the smallest organisation to access learning.

There’s also the concept of content scalability. It’s also where administrators can add new courses or adjust what’s on offer as the curriculum changes. Your learning strategy must be nimble enough to meet those changing needs.

****Cost-Effectiveness: Budget-Friendly Learning****

With the cloud-based LMS, you can save significantly more than if you used the traditional method in some cases. Companies can do more with fewer resources, such as less hardware or specialised IT personnel.” Predictable budgeting: With subscription-based pricing models, budgets are usually predictable (which allows easier financial planning).

A reduction in travel and accommodation expenses for on-campus training enables organisations to focus more on content creation and other aspects of learning. Through this repurposing of resources, learning can be enhanced.

****Enhancing Collaboration and Engagement****

A cloud-based LMS can be a catalyst for sharing and engaging learners. Q&A, chat, and social learning tools enable participants to engage with each other and share their expertise. They have a little slice of culture, writing about it; how powerful can other cities build their own version of its influence?

Furthermore, we observe that certain gamification elements, such as badges and leaderboards, are motivating learners to participate. When you add these features, a hosted LMS can offer an engaging and effective learning experience.

****Data-Driven Insights: Informing Decisions****

We have data insights in the cloud model that enable us to make better decisions. Administrators can monitor learner progress, course success rates, and areas that need improvement. By being data-driven organisations, they are constantly fine-tuning their methods of learning.

Through probing analytics, businesses can select content that best appeals to their needs and tastes. This sense of personalisation can increase engagement and help learners learn better, as the text is relevant to what they’re interested in.

****Security and Reliability: Ensuring Safety****

Security: No system that runs using a cloud can ever be beneficial if there isn’t security, which is no different in the case of a cloud LMS as well. Additionally, you’ll note that most providers will have layered security in place for data containing sensitive information. The article is current, but it has no staying power.

Reliability is another crucial aspect. Organisations benefit from cloud hosting due to its high availability and low wait times. There’s a two-way feedback process that is almost as important to education as it is in making learners feel attached to what they are learning about.

****Customisation: Catering to Unique Needs****

A cloud-based LMS is highly customizable, which makes it one of its top advantages. The system can be tailored to fit your organisational needs and goals. Everything, from branding and course structure to levels of customisation, is provided so that you can tailor the best learning experience.

This adaptability enables the LMS to be tailored to fit the unique learning needs of an organisation. It makes the system more efficient, as it provides necessary and effective training for everyone in the organisation, along with methods to address specific needs.

****Conclusion****

Therefore, the switch to a cloud-hosted LMS can offer organisations a range of benefits in terms of scalable learning. A cloud-based LMS provides the flexibility, scalability, and cost-effectiveness necessary to support a learning community. This model facilitates a higher learning success rate and an efficient allocation of resources. A cloud LMS is an ideal strategic ally in this journey, as businesses increasingly invest their financial resources in education and development.

(Photo by Hazel Z on Unsplash)

How an LMS Cloud Model Supports Scalable Learning

A new report from Check Point Research reveals a growing trend of cyber criminals recruiting employees at banks, telecoms, and tech giants. Learn how hackers use the darknet and Telegram to offer payouts up to $15,000 for internal access to companies like Apple, Coinbase, and the Federal Reserve.

Recent research from Check Point Research (CPR) shows that cyber criminals are changing how they break into companies. Instead of just trying to guess passwords or find computer glitches, they are now paying employees to help them from the inside.

According to the report, these groups are specifically recruiting “**insiders**” at banks, telecom, and tech firms to get direct access to private networks and customer information.

****High Payouts for Sensitive Data****

CPR researchers note that the rewards for these employees can be quite high; payouts for one-time access or specific files generally range between $3,000 and $15,000. However, some data is worth even more, such as a collection of 37 million records from a cryptocurrency exchange that was seen on the **dark web** for $25,000.

Source: Check Point Research

Digging deeper, researchers found that criminals are using emotional tactics to lure staff. In July, one advertisement encouraged workers to “escape the endless work cycle” by collaborating with hackers for five- or six-figure rewards. While some ads are short and factual, others frame this betrayal as a path to financial freedom.

****Major Brands and Industries Targeted****

It is worth noting that no sector seems to be safe, as recruitment ads have specifically named large firms like Coinbase, Binance, Kraken, and **Gemini**. Even major consulting companies like Accenture and Genpact, and consumer brands like Spotify and Netflix, have been mentioned.

The threat extends to physical goods and infrastructure as well. For example, insiders are being sought at Apple, Samsung, and Xiaomi, while cloud service employees are being offered up to $10,000 for access.

(Source: Check Point Research)

In the US, staff at Cox Communications have been asked to help with **SIM-swapping**, a trick used to bypass security codes. Even the US Federal Reserve and major European banks have been targeted by those looking for transaction histories.

****The Role of Ransomware Groups****

These activities are not just happening on hidden websites because **ransomware** groups are now using Telegram to find helpers. One group with approx. 400 members recently advertised a “ransomware portal,” inviting insiders and “access brokers” to help lock down company systems for a share of the profit.

(Source: Check Point Research)

****CrowdStrike’s Insider Incident: A Prime Example of Hiring Insider Threat****

A recent internal security incident at CrowdStrike backs CPR’s findings and how real the insider threat has become. In November 2025, the cybersecurity firm **confirmed** it had terminated an employee after detecting an unauthorised leak of internal information to an external party linked to the Scattered Lapsus Hunters network.

Stopping these attacks is difficult because, as researchers explained in the **blog post**, “when internal staff disable defences,” standard security is often bypassed entirely. To stay safe, experts say companies must monitor the dark web for mentions of their brand and keep a much closer eye on who has access to their most sensitive data.

Insider Threat: Hackers Paying Company Insiders to Bypass Security

Learn how DevOps and DevSecOps strengthen cybersecurity through automation, CI/CD, and secure DevOps development services.

Cyberattacks are growing more sophisticated every year, from mass phishing campaigns to targeted data breaches against corporate infrastructure. In a world where every minute of delay can cost millions, organizations are under pressure to release updates faster while keeping systems secure. One of the most effective strategies to balance speed and protection is DevOps.

****From DevOps to DevSecOps****

DevOps emerged to break down silos between developers and operations teams, enabling faster product delivery through automation and collaboration. As cyber threats escalated, speed without security became a liability. This shift gave rise to DevSecOps, a model where security is embedded into every stage of the software lifecycle.

According to Gartner, more than 70% of enterprises are expected to adopt DevSecOps practices by 2026, nearly double the rate seen in 2022.

****Why speed equals security****

The 2020 SolarWinds Orion compromise demonstrated the devastating impact of supply chain attacks. Malicious code inserted into software updates gave attackers access to thousands of organizations, including government agencies and Fortune 500 companies. The lesson was clear: delays in patching or a lack of integrated security can lead to catastrophic breaches.

That is why more organizations are turning to DevOps development companies to integrate security into every stage of development. DevSecOps is no longer optional. It is becoming the standard for industries where resilience is critical.

****DevSecOps in practice****

DevSecOps ensures that security is not a final checkpoint but a continuous process. Automated testing, monitoring, and code analysis help identify vulnerabilities before release.

As GeeksforGeeks notes, the benefits include faster time-to-market, fewer vulnerabilities, and a security-first culture. SentinelOne adds that DevSecOps fosters closer collaboration between developers, operators, and security teams, improving both product quality and release speed.

****Automation and rapid response****

Automation is at the heart of DevOps. Continuous integration and delivery (CI/CD) pipelines allow organizations to push updates quickly and consistently. In cybersecurity, this speed is critical. The faster a vulnerability is patched, the lower the risk of exploitation.

Fortinet emphasises that DevSecOps shifts security left, embedding protection at the earliest stages of development to prevent vulnerabilities before they reach production.

****Industry perspective****

According to Neklo, a company providing DevOps development services since 2009, integrating DevOps and security is not just a trend but a necessity. “Organizations that adopt DevSecOps reduce incident response times dramatically and minimize the risk of data breaches,” Neklo experts explain.

Their experience shows that well-implemented DevOps practices accelerate development while building resilient infrastructure capable of withstanding modern threats.

****Case studies****

Real-world incidents prove why DevSecOps matters. Breaches caused by misconfigurations, delayed patching, or overlooked flaws show the cost of neglecting security.

*   **Capital One (2019):** A misconfigured cloud environment exposed data of over 100 million customers. Automated configuration checks, a core DevSecOps practice, could have prevented the breach.
*   **Equifax (2017):** Failure to patch Apache Struts led to the compromise of 147 million records. Automated patching pipelines could have reduced exposure.
*   **GitHub:** The platform integrates automated security checks into CI/CD, catching vulnerabilities in third-party libraries before they reach production.

These examples show that even industry leaders are vulnerable when security is treated as an afterthought. DevSecOps offers a proactive approach that reduces risks and builds trust.

****Tools driving DevSecOps****

The success of DevSecOps depends on tools that integrate security without slowing delivery. They automate checks, enforce compliance, and provide visibility across the lifecycle.

*   CI/CD pipelines for automated builds and testing
*   Containerization with Docker and Kubernetes for isolation and secure deployment
*   Static Application Security Testing (SAST) to scan source code
*   Dynamic Application Security Testing (DAST) to test running applications
*   Infrastructure as Code (IaC) with built-in security checks

The goal is not only to catch vulnerabilities but also to create a culture where security is continuous, automated, and proactive.

****The future: AI and security automation****

Artificial intelligence is set to play a major role in DevOps. Research (PDF) from Monash University and Atlassian shows AI can automate vulnerability detection and reduce the burden on security teams.

Real-world applications are already proving effective. AI-driven tools detect anomalies, predict threats, and respond automatically. WebAsha highlights that AI-powered DevSecOps is becoming the new standard, shifting organizations from reactive defense to proactive protection.

****Practical steps for adoption****

Transitioning to DevSecOps can feel overwhelming. The key is to treat adoption as a structured process, not a sudden overhaul.

1.  Assess current workflows to identify weak points
2.  Train teams to embrace a security-first mindset
3.  Automate testing with SAST and DAST integrated into CI/CD
4.  Implement monitoring using SIEM systems for real-time analysis
5.  Scale gradually, starting with pilot projects before full rollout

These steps provide a roadmap for embedding security into development culture. Success depends on tools, training, leadership support, and a willingness to evolve. Companies that adopt DevSecOps incrementally are better positioned to respond quickly to threats.

****Building a security culture****

Technology alone is not enough. DevSecOps requires cultural change. Developers, operators, and security professionals must collaborate seamlessly. Without this shift, even the most advanced tools will not deliver results.

DevOps is no longer just about faster releases. It has evolved into a comprehensive cybersecurity strategy that helps organizations stay competitive and resilient in the face of escalating digital threats.

(Featured Image via DC Studio on Freepik)

DevOps and Cybersecurity: Building a New Line of Defense Against Digital Threats

US authorities have charged Zahid Hasan with running TechTreek, a $2.9 million online marketplace selling fake ID templates. The investigation, involving the FBI and Bangladesh police, uncovered a global scheme selling fraudulent passports and social security cards to over 1,400 customers.

A major international operation has ended with a nine-count federal indictment against a man accused of fuelling identity theft worldwide. US Attorney Kurt Alme announced the charges against 29-year-old Zahid Hasan (aka Zahid Biswas), a resident of Dhaka, Bangladesh.

Hasan is alleged to have run a sophisticated network of websites that sold digital templates for fake government documents, including US passports and Montana driver’s licenses.

****A Worldwide Digital Shop for Fraud****

According to a press release from the US Department of Justice, Hasan operated under business names like Techtreek.com, Egiftcardstorebd.com, and Idtempl.com from 2021 until 2025. These shops didn’t sell physical cards; instead, they sold digital “templates,” which are files that allow criminals to input their own information to create high-quality fake IDs. These fakes were primarily used to bypass security at banks, social media platforms, and digital currency sites.

Investigators also found that Hasan’s prices were surprisingly low. A US social security card template sold for just $9.37, while a Montana driver’s license cost $14.05. Despite these small price tags, Hasan allegedly brought in more than $2.9 million by selling to over 1,400 customers across the globe.

Zahid Hasan’s author bio on TechTreek (Image credit: Hackread.com)

“Yesterday, Bangladeshi national Zahid Hasan was indicted for operating illegal online marketplaces that sold digital templates for false identity documents like U.S. passports and social security cards. Hasan received millions of dollars from the scheme. As part of the investigation, the #FBI and our partners seized multiple domains associated with the criminal enterprise,” the FBI’s Cyber Division’s official announcement reads on LinkedIn.

****The Crackdown and Arrest****

The investigation reached a turning point in May 2025, when Hasan accepted Bitcoin from an individual in Bozeman, Montana, in exchange for fraudulent templates. Following this, the US government seized three domains used for the business, Techtreek, Egiftcardstorebda and Idtempl.com:

Official seizure notice (Source: DoJ)

This case was a massive team effort. The FBI’s Billings Division and the Salt Lake City Cyber Task Force led the charge. They worked in close coordination with the FBI’s International Operations Division and the Dhaka Metropolitan Police Department’s Counterterrorism and Transnational Crime Unit in Bangladesh to track Hasan’s activities across borders.

Assistant US Attorney Benjamin Hargrove is now prosecuting the case. Hasan faces up to 15 years in prison for each of the eight counts related to ID and passport fraud, and up to five years for the social security fraud charge. It is worth noting that each count also carries a maximum fine of $250,000 and three years of supervised release.

FBI Seizes Fake ID Template Domains Operating from Bangladesh

Amazon Security Chief explains how a subtle keyboard delay exposed a North Korean impostor. Read about the laptop farm scheme and how 110 milliseconds of lag ended a major corporate infiltration.

In an era where remote work is the norm, it can be hard to know for sure who is on the other side of a computer screen. This fear was proven by the retail giant Amazon, which recently discovered that one of its “American” tech workers was actually a North Korean impostor. Surprisingly, the person wasn’t caught through a standard background check, but because their keyboard was just a tiny bit too slow.

****The Mystery of the Lagging Keyboard****

It all started when security specialists at Amazon noticed something odd about a new system administrator’s computer activity. In the tech world, when you press a key on a laptop, that signal travels to the company’s network almost instantly. For a genuine worker based in the United States, this usually takes only a few milliseconds, which are just tiny fractions of a second.

However, Amazon’s Chief Security Officer, Stephen Schmidt, found that the company’s monitoring tools flagged a delay of more than 110 milliseconds. While that is a blink of an eye to us, it was a major red flag for their security software.

According to Bloomberg’s report, further investigation revealed that the laptop was physically sitting in an Arizona home to look legitimate, but it was being controlled remotely from halfway across the world. As we know it, this extra distance is what caused the “lag” that gave the game away.

****A Growing Problem for Big Tech****

This is not just a one-off event. Schmidt shared that since April 2024, Amazon has stopped more than 1,800 similar hiring attempts, and that these attempts are increasing rapidly, with a 27% jump in just the last few months.

Further probing by the US Department of Justice revealed that these workers often use laptop farms to hide their location. In this specific case, an Arizona woman named Christina Marie Chapman was found to be hosting the hardware.

Hackread.com earlier reported that Chapman managed over 90 laptops in her home to help North Korean agents appear as if they were working from the US. She was sentenced to eight and a half years in prison this past July for her role in the $17 million fraud scheme.

****Spotting the Signs****

Schmidt noted that catching these impostors requires looking for very specific clues. Besides technical lag, there are “low-tech” signs to watch for. For example, the intruders often fumble when using American idioms or struggle with the correct use of English articles like “a” and “the” during conversations.

The goal of these intrusions is usually to earn money for the North Korean government’s weapons programs. Schmidt warned that if the company hadn’t been actively hunting for these fake employees, they never would have found them. Nevertheless, hiring teams should review employee onboarding processes, especially for remote hires, and educate staff about these types of social engineering attacks.

Keyboard Lag Leads Amazon to North Korean Impostor in Remote Role

Torrance, United States / California, 19th December 2025, CyberNewsWire

**Torrance, United States / California, December 19th, 2025, CyberNewsWire**

Criminal IP (criminalip.io), the AI-powered threat intelligence and attack surface monitoring platform developed by AI SPERA, is now officially integrated into Palo Alto Networks’ Cortex XSOAR. The integration embeds real-time external threat context, exposure intelligence, and automated multi-stage scanning directly into Cortex XSOAR’s orchestration engine, giving security teams higher incident accuracy and faster response than conventional log-centric approaches.

For Palo Alto Networks, widely regarded as the global leader in cybersecurity, Cortex XSOAR is a central hub for SOC automation. With Criminal IP added as an integration through the Cortex Marketplace, Cortex XSOAR can now offer users the ability to evaluate suspicious IPs and domains not only through static reputation data but also through behavioral signals, exposure history, infrastructure correlations, and AI-driven threat scoring, without requiring additional systems or analyst-driven lookups.

**AI Context to Address the Limits of Log-Only Incident Response**

Automated playbook example — detecting malicious domains using the three-step scan in the integrated API of Criminal IP and Palo Alto Networks Cortex XSOAR​​>

Modern SOC teams face overwhelming alert volumes, yet traditional enrichment still depends on static reputation feeds with limited context, often missing port exposure, CVE ties, certificate reuse, DNS changes, or anonymization behavior. Criminal IP fills this gap by continuously analyzing global internet-facing assets and correlating IP behavior, domain activity, SSL/TLS data, port states, CVE exposure, IDS hits, and masking indicators. When an alert includes an IP or domain, Cortex XSOAR can automatically pull this enriched intelligence into the active incident via a playbook, allowing analysts to assess intent and severity without leaving Cortex SOAR.

**Multi-Stage Scanning and External Exposure Linking**

Cortex XSOAR playbooks can trigger Criminal IP’s automated three-stage scanning workflow: beginning with a Quick Lookup, escalating to a Lite Scan, and then performing a Full Scan for complete attack surface analysis. Full Scan results are delivered as structured reports within Cortex XSOAR, with generic polling ensuring the workflow continues without manual effort. Beyond alert-driven enrichment, the integration also links internal telemetry with open-internet intelligence providing historical behavior, C2 relationships, anonymization indicators, abuse records, and SSL correlations for each indicator. Cortex XSOAR can also schedule Micro Attack Surface Management scans to assess exposed ports, certificate validity, vulnerable services, and outdated software, offering lightweight, continuous ASM capabilities that help organizations identify weaknesses before they are exploited.

**Accelerating the Shift Toward Intelligence-Driven Autonomous Security**

Screenshot of the Criminal IP pack on the Cortex Marketplace

The integration between Palo Alto Networks and Criminal IP reflects a broader trend toward autonomous security operations. By combining Cortex XSOAR’s automation and orchestration capabilities with Criminal IP’s real-time external analysis, SOC teams can automate decisions that previously required manual research across multiple intelligence sources. This reduces response times, improves the accuracy of incident classification, and minimizes analyst fatigue—issues that have grown more severe as alert volumes and AI-generated threats continue to rise.

Criminal IP is already present on Azure, AWS, and Snowflake marketplaces and maintains integrations with more than 40 security vendors, including Cisco, Fortinet, and Tenable. Its expansion into the Palo Alto Networks ecosystem sets the foundation for further integrations across XDR and cloud security solutions.

AI SPERA CEO Byungtak Kang stated that the integration “demonstrates the growing importance of AI-driven threat intelligence and exposure analytics in enterprise security operations,” adding that Criminal IP aims to play a central role in helping organizations transition toward fully autonomous defense architectures.

**About Criminal IP**

Criminal IP is the flagship cyber threat intelligence platform developed by AI SPERA. The platform is used in more than 150 countries and provides comprehensive threat visibility through enterprise security solutions such as Criminal IP ASM and Criminal IP FDS.

Criminal IP continues to strengthen its global ecosystem through strategic partnerships with Cisco, VirusTotal and Quad9. The platform’s threat data is also available through major US data warehouse marketplaces including Amazon Web Services (AWS), Microsoft Azure and Snowflake. This expansion improves global access to high quality threat intelligence from Criminal IP.

Users can learn more: https://cortex.marketplace.pan.dev/marketplace/details/CriminalIP/

**Contact**

**Michael Sena**  
**AI SPERA**  
**\[email protected\]**

Criminal IP and Palo Alto Networks Cortex XSOAR integrate to bring AI-driven exposure intelligence to automated incident response

Pillar Security has identified a critical indirect prompt injection vulnerability in Docker’s ‘Ask Gordon’ assistant. By poisoning metadata on Docker Hub, attackers could bypass security to exfiltrate private build logs and chat history. Discover how the "lethal trifecta" enabled this attack and why updating to Docker Desktop 4.50.0 is essential for developer security.

Cybersecurity researchers at Pillar Security, an AI software security firm, have found a way to trick Docker’s new AI agent, Ask Gordon, into stealing private information. The researchers discovered that the AI assistant could be manipulated through a method called indirect prompt injection.

This happens because the assistant has a “blind spot” in how it trusts information. As we know it, any AI tool becomes risky when it can access private data, read untrusted content from the web, and talk to external servers.

****How Does It Work****

Docker is a major platform used by millions of developers to build and share software. To make things easier, they introduced a beta tool, ‘Ask Gordon,’ that can answer questions and help with tasks using simple, natural language.

However, researchers noted attackers could take control of the assistant through a technique known as metadata poisoning. By putting hidden, malicious instructions inside the description or metadata of a software package on the public Docker Hub, hackers can wait for an unsuspecting user to interact with that package.

Attack chain (Source: Pillar Security)

The research, which was shared with Hackread.com, further revealed that a user only needs to ask a simple question like, “Describe this repo,” for the AI to read those hidden instructions and follow them as if they were legitimate commands.

Watch Pillar Security’s Docker Gordon AI Data Exfiltration Demo

****The Lethal Trifecta****

Probing further, researchers found that the AI was falling into a trap because of a lethal trifecta, a term coined by renowned technologist Simon Willison. In this case, the assistant could gather chat history and sensitive build logs (records of the entire software creation process) and send them to a server owned by the attacker.

The results were instant. Within seconds, an attacker could get their hands on build IDs, API keys, and internal network details. This effectively means the agent acted as its own command-and-control client, turning a helpful tool into a weapon against the user.

To explain why this worked, the team used a framework called CFS (Context, Format, and Salience). It shows how a malicious instruction succeeds by fitting the AI’s current task (Context), looking like standard data (Format), and being positioned where the AI gives it high priority (Salience).

****A Quick Fix for Users****

It is worth noting that this vulnerability (formally known as CWE-1427 or Improper Neutralization of Input for AI Prompts) wasn’t just a theoretical guess; researchers proved it by successfully stealing data during their tests. They immediately notified Docker’s security team, which acted promptly. The issue was officially resolved on November 6, 2025, with the release of Docker Desktop version 4.50.0.

The fix introduces a “human-in-the-loop” (HITL) system. Now, instead of Gordon automatically following instructions it finds online, it must stop and ask the user for explicit permission before it connects to an outside link or executes a sensitive tool. This simple step ensures that the user remains in control of what the AI is actually doing.

Docker Fixes ‘Ask Gordon’ AI Flaw That Enabled Metadata-Based Attacks

Crypto’s public image lagged reality. Stablecoins, tokenization, and regulation now power a blockchain backend settling global finance at institutional scale.

Retail trading and price swings have defined the public view of cryptocurrency for nearly ten years. Yet, as news outlets tracked market cycles, a structural overhaul took hold in the background that went largely unnoticed.

The industry has quietly transitioned from a speculative ecosystem into the infrastructure layer modernizing global finance. This new backend, often described as the “asset layer of the web,” is upgrading the financial system by moving value from slow, siloed legacy databases to instant programmable blockchains.

Market data confirms this shift is operating at scale. By December 9, 2025, the total value of stablecoins had climbed nearly 50% for the year to reach a capitalization of $312.55 billion. This surge indicates that digital value transfer is no longer experimental; it is the preferred rail for a significant portion of global liquidity.

This institutional maturity was the central theme at Binance Blockchain Week 2025. Industry leaders convened not to discuss token prices, but to analyze how blockchain is functioning as a settlement engine for the real economy.

During the Digital Money at Scale panel, Reeve Collins, Co-founder and Chairman of STBL, captured the essence of this utility-driven shift. “Stablecoins are simply a better way to move money globally, instantly, and for free,” Collins noted. His observation highlights the core utility driving adoption: efficiency. While price action draws attention, the true revolution lies in the friction reduction for moving capital across borders.

****The New Backend Structure of Finance****

Institutions are moving on-chain to solve specific operational inefficiencies inherent in legacy systems like SWIFT or the DTCC. Traditional finance often relies on a T+2 settlement cycle, where funds and assets take days to clear. The Asset Layer offers a solution through tokenization, converting rights to an asset into a digital token on a blockchain. This allows for instant settlement, 24/7 liquidity, and programmable ownership logic.

This demand for efficiency has triggered an explosion in real-world assets. The market cap for tokenized RWAs has reached $18.25 billion, representing a massive, nearly 230% growth. Furthermore, the number of investors utilizing these instruments has widened, with 564,846 holders now owning tokenized assets ranging from private credit to treasury bills.

Institutional portfolios are reflecting this change. A recent State Street study indicates that while institutions currently hold approximately 7% of their portfolios in digital assets, this figure is projected to rise to 16% within three years. Asset managers are moving faster than asset owners, recognizing that tokenization is arguably the most significant evolution in market infrastructure since the introduction of electronic messaging in the 1970s, a sentiment echoed by BlackRock CEO Larry Fink.

Critically, this infrastructure is already handling volumes that rival traditional clearing houses. During the Binance Blockchain Week panel, Zach Witkoff, Co-Founder and CEO of World Liberty Financial, highlighted a specific use case involving the client that proves the technology’s readiness for high-stakes finance. “USD1 was used to settle the largest transaction in crypto history, MGX investing in Binance,” Witkoff stated.

“Five years ago, no one would’ve imagined a $2 billion deal settling in stablecoins.” This transaction serves as a proof point that blockchain rails are now capable of settling billion-dollar institutional deals with speed and finality that legacy banking rails struggle to match.

****Stability in Regulation****

For years, the technology to modernize finance existed, but the requisite trust did not. Major payment networks and banking giants hesitated to fully commit to blockchain rails due to regulatory ambiguity. That hesitation is now dissipating as major jurisdictions implement comprehensive legal frameworks.

The regulatory landscape has shifted dramatically with the passage of legislation such as the US GENIUS Act and the implementation of the EU’s Markets in Crypto-Assets (MiCA) regulation. These frameworks provide the legal certainty institutions require to treat tokenized assets as legitimate financial instruments rather than gray-market experiments. This clarity allows legacy players like Visa and Amex, which previously faced crippling diligence hurdles, to integrate stablecoins and tokenized assets into their product suites.

Reeve Collins addressed this evolution directly during the panel, arguing that the barrier to entry was never technological. “The only real difference between 2018 and now is the regulatory landscape,” Collins explained. “That’s what held tokenization back, not the technology.”

With rules of the road now established, corporate balance sheets are increasingly comfortable with digital asset exposure. While risks such as smart contract vulnerabilities and liquidity fragmentation remain, regulated structures compliant with MiCA are mitigating these concerns, effectively granting permission for the world’s wealth to migrate on-chain.

****The Unified Value Layer****

The rise of tokenization signals the end of the separation between crypto markets and traditional markets. In the near future, there will likely be only markets, all running on a unified blockchain backend that offers superior transparency and efficiency.

Just as the internet protocol TCP/IP runs invisibly beneath the web, tokenization is becoming the invisible standard for value transfer. The focus will shift away from the underlying technology to the products it enables, such as instant cross-border payments, yield-bearing stablecoins, and globally accessible capital markets.

The infrastructure is built, the regulations are in place, and the asset layer of the web is now open for business.

(Photo by Shubham Dhage on Unsplash)

The Asset Layer of the Web: Tokenization Is Becoming Finance’s New Backend Infrastructure

Cary, North Carolina, USA, 18th December 2025, CyberNewsWire

**Cary, North Carolina, USA, December 18th, 2025, CyberNewsWire**

**Growth in Egypt, UAE, and Kingdom of Saudi Arabia Fueled by Demand for Expert-Led, Hands-On Training to Meet National Digital Transformation Goals**

INE Security, a global leader in specialized cybersecurity and IT training, today announced continued significant expansion across the Middle East and Asia, capitalizing on major regional learning initiatives. The company’s unique, hands-on methodology is proving to be a cost-effective solution for upskilling cybersecurity professionals in high-growth markets, including the Kingdom of Saudi Arabia (KSA), the United Arab Emirates (UAE), and Egypt.

As these nations prioritize digital transformation and invest heavily in localizing technical expertise, such as through Saudi Vision 2030, the demand for high-quality, practical cybersecurity training has surged. Yet traditional, high-cost training models often fail to scale efficiently to meet the vast skill gaps required to secure rapidly expanding digital infrastructures.

INE Security addresses this challenge by providing comprehensive, subscription-based learning paths designed by industry experts. This model delivers superior value by offering unlimited access to thousands of hours of content and real-world virtual labs—such as the innovative Skill Dive platform—ensuring professionals not only learn theory but also gain the hands-on experience necessary to defend complex environments.

**Meeting Regional Skills Demands**

The key to INE Security’s success in the region lies in its commitment to verifiable competence over mere certification. Organizations in KSA, UAE, and Egypt require solutions that can rapidly validate and elevate the technical skills of their security analysts and engineers in critical areas.

Key competencies being rapidly adopted through INE Security training include:

*   **Cloud Security** best practices for protecting new digital government and private sector infrastructures
*   **Incident Response** planning and execution through realistic simulation labs
*   **Penetration Testing** and offensive security techniques to proactively identify vulnerabilities
*   **Advanced Networking** fundamentals necessary for robust security architecture

> “The Middle East and Asia are leading the world in digital ambition, and that ambition requires a skilled cyber workforce trained to meet the highest global standards,” said **Lindsey Rinehart, CEO of INE.** “Our cost-effective, hands-on training model delivers the depth and scale needed to build real-world defensive capabilities. We are committed to supporting the region’s growing cybersecurity ecosystem and empowering practitioners with the skills they need to protect national assets and drive digital innovation.”

**Expanding Regional Partnerships**

As part of its continued expansion, INE Security has strengthened its regional presence through new strategic partnerships established over recent months. These collaborations extend INE’s reach and support localized delivery of hands-on cybersecurity training aligned with regional workforce development priorities.

New partners across the Middle East and Asia include Red Nexus Academy, RedTeam Hacker Academy, and Abadnet Institute. Through these partnerships, INE is working closely with training providers and academic institutions to broaden access to expert-led instruction, immersive labs, and skill validation programs for cybersecurity professionals across the region.

By collaborating with trusted regional partners, INE is able to support national digital initiatives while ensuring training programs reflect local market needs, languages, and technical priorities.

**A Scalable Model for National Growth**

INE’s subscription-based model provides scalable access to hands-on training and real-time skill development across the full spectrum of cyber domains. This approach enables government agencies, universities, and large enterprises to onboard and upskill teams efficiently while maintaining consistency and quality at scale. With built-in skill assessment tools and usage analytics, organizations gain clear visibility into workforce readiness and can confidently measure progress as teams advance through increasingly complex defensive and offensive scenarios.

> “Organizations across the Middle East and Asia are accelerating their cybersecurity readiness, and they need training solutions that match the pace of their transformation,” said **Brett Eskine, Chief Revenue Officer at INE.** “INE’s hands-on labs and expert-led learning paths provide a scalable and measurable pathway for organizations across the region to build the cyber expertise required for modern digital infrastructures.”

INE remains committed to empowering professionals throughout these dynamic regions by delivering accessible, high-impact learning tools that help strengthen national security resilience while advancing individual careers. To learn more about INE Security’s enterprise training solutions and regional expansion initiatives, users can visit **ine.com/enterprise**. 

**About INE Security**

INE Security is the premier provider of online networking and cybersecurity training and cybersecurity certifications. Harnessing a powerful hands-on lab platform, cutting-edge technology, a global video distribution network, and world-class instructors, INE Security is the top training choice for Fortune 500 companies worldwide for cybersecurity training in business and for IT professionals looking to advance their careers. INE Security’s suite of learning paths offers an incomparable depth of expertise across cybersecurity. The company is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in an IT career.

**Contact**

**Chief Marketing Officer**  
**Kim Lucht**  
**INE**  
**\[email protected\]**

Source

HackRead