UK's ICO fines LastPass £1.2M for the 2022 data breach that exposed 1.6 million users’ data. Learn how a flaw in an employee's personal PC led to the massive security failure.

The UK’s data privacy regulator, the Information Commissioner’s Office (ICO), has penalised the password management giant LastPass UK Ltd with a £1.2 million fine over a major security breach in 2022 that affected the personal details and encrypted vaults of up to 1.6 million users in the UK alone.

The ICO has concluded that the company failed to put in place strong enough technical and security safeguards. ICO Head John Edwards noted that a company promising to help people improve their security “has failed them.”

****The 2022 Breach: A Chain of Failures****

As reported by Hackread.com in 2022, the whole incident involved a series of human and technical security failures that occurred in two main phases. The trouble first began in August 2022 when an attacker compromised a corporate laptop belonging to a developer in Europe, stealing some of the company’s source code and internal information. This initial attack did not directly compromise customer data.

The attacker then used this stolen material to launch the second, more damaging phase. They targeted a senior engineer in the US (one of only four employees with access to critical decryption keys) and gained access to this employee’s personal desktop computer by exploiting a known flaw in a third-party application, believed to be the Plex Media Server, installed on the device.

Once inside, the attacker installed a keylogger to capture the employee’s master password and stole a trusted device cookie to bypass Multi-Factor Authentication (MFA). Since the engineer had linked their business and personal accounts with a single master password, the hacker accessed the corporate vault, obtaining an Amazon Web Services (AWS) access key and a decryption key needed to access customer data.

The data stolen included names, company names, billing addresses, phone numbers, email IDs, and the IP addresses customers used for accessing the LastPass service, along with encrypted password vaults.

****ICO Ruling Highlights Security Failures****

The ICO’s ruling was stern. They found that LastPass UK Ltd did not restrict system access sufficiently, allowing the human element, specifically the employee’s use of a personal device and repeated credentials, to undermine their security. They stated that LastPass customers had a right to expect their personal information to be kept safe.

It is worth noting, however, that the situation could have been far worse. LastPass CEO Karim Toubba confirmed that the core customer passwords remain protected because of the company’s ‘zero-knowledge encryption’ system, which means the master passwords are only known to the user and are never stored on LastPass servers. For your information, the final fine was lowered from an initial proposal of 2.6 million because of the steps LastPass took to prevent such incidents.

The penalty emphasises a crucial lesson for all businesses: the human attack surface, including employee personal devices and home networks, is usually the weakest link in even the secure corporate networks.

Full statement from UK Information Commissioner, John Edwards:

“Password managers are a safe and effective tool for businesses and the public to manage their numerous login details, and we continue to encourage their use. However, as is clear from this incident, businesses offering these services should ensure that system access and use is restricted to ensure risks of attack are significantly reduced.

“LastPass customers had a right to expect the personal information they entrusted to the company would be kept safe and secure. However, the company fell short of this expectation, resulting in the proportionate fine being announced today.

“I call on all UK businesses to take note of the outcome of this investigation and urgently review their own systems and procedures to make sure, as best as possible, that they are not leaving their customers and themselves exposed to similar risks.”

In response to this news, Chris Pierson, CEO, BlackCloak, shared the following comments with Hackread.com, stating, “This case is a clear reminder that today’s most damaging breaches often begin far outside traditional enterprise controls. Attackers did not defeat encryption or zero-knowledge architecture head-on; they targeted a trusted individual, exploited a personal device, and patiently chained together small gaps until they reached high-value access.”

Advising controls and proper security precautions to businesses and individual users, Pierson said that _“_For executives and privileged users, personal and professional digital lives are inseparable, and adversaries know it. Controls within the enterprise remain critical, but they must be paired with the continuous protection of personal devices, privacy enhancements, and home network protection. Organisations that fail to secure the digital attack surface for key persons and executives in their personal lives are effectively leaving the back door open to attacks.”

UK’s ICO Fine LastPass £1.2 Million Over 2022 Security Breach

The Oyster backdoor (also known as Broomstick) is targeting the financial world, using malicious search ads for PuTTY, Teams, and Google Meet.

Cybercriminals are tricking users into downloading malware disguised as popular office tools like Microsoft Teams and Google Meet. This dangerous campaign is mainly targeting those in the financial world and has been active since mid-November 2025, according to a new report from cybersecurity experts at CyberProof.

The danger lies in what experts call SEO poisoning and malvertising. For your information, in SEO poisoning, attackers manipulate search results to make fake, dangerous websites appear at the top, whereas malvertising means using online advertisements to spread malware.

****The Bait: Fake Downloads****

CyberProof’s research, shared with Hackread.com, reveals that the attack starts with directing victims to malicious websites. Once a user clicks, they are tricked into downloading the Oyster backdoor (also called Broomstick and CleanUpLoader), first spotted in September 2023 by security experts at IBM.

Further investigation revealed that attackers are constantly changing their methods. For example, in July 2025, CyberProof researchers spotted Oyster being spread through ads that impersonated other popular IT tools, specifically PuTTY and WinSCP. This shows a pattern of targeting tools that users frequently search for.

****Recent Attack Details****

The current wave of attacks involves using fake download pages for online communication tools like Microsoft Teams and Google Meet to fool people into downloading malware, with reports suggesting it started earlier than mid-November.

Fake Google Meet site used in the Oyster backdoor campaign (Imaage via CyberProof)

As Hackread.com recently reported, research from Blackpoint Cyber detailing a new campaign where a fake site appeared when visitors searched for “Microsoft Teams download,” and delivered the Oyster backdoor.

To make their files look official, some fake installers, like MSTeamsSetup.exe, were code-signed with certificates from various companies, including LES LOGICIELS SYSTAMEX INC., Reach First Inc., and S.N. ADVANCED SEWERAGE SOLUTIONS LTD. Researchers noted that most of these certificates have since been revoked.

****A Lingering Threat****

The Oyster backdoor is a serious issue because it creates a hidden entry point into a computer system. When the fake installer is run, it drops a malicious file called AlphaSecurity.dll into a folder on your computer.

For persistence, the installer creates a scheduled task, also called ‘AlphaSecurity,’ which makes sure the malicious file runs every 18 minutes, keeping the backdoor active even after the computer is restarted.

While the current campaign started in November 2025, researchers noted that this wider threat, using a combination of SEO and malvertising, has been active since at least November 2024. They explained that many ransomware groups, like the well-known Rhysida, have reportedly used this same backdoor to attack corporate networks, making this a serious concern.

“Since there have been some ties with human-operated ransomware groups, we strongly believe and predict this threat cluster will continue to be active through 2026,” CyberProof researchers assessed.

To protect yourself, remember to always download software directly from the official developer’s website or a trusted app store and avoid clicking on search results or pop-up ads for downloads, as these are exactly how the Oyster backdoor spreads.

Fake Microsoft Teams and Google Meet Downloads Spread Oyster Backdoor

Scale software teams fast with development team augmentation. Learn when it works best, key models, common mistakes, and how to choose the right partner.

****When Team Expansion Becomes a Matter of Survival****

Imagine this: you’re launching a new product in three months, and two of your senior developers unexpectedly leave. Or another scenario: the company wins a major contract, but the current team physically can’t cover all the tasks. Sounds familiar?

The modern IT market operates at extreme speeds. According to SIA, 76% of tech companies face a shortage of qualified specialists. Traditional hiring stretches over months, while business needs solutions here and now. This is where development team augmentation comes in, a model that allows you to quickly scale your team without lengthy HR processes and unnecessary costs.

This article is for those who are tired of waiting for HR to find “the perfect candidate.” We’ll explain how software development staff augmentation works, when it makes sense, and how to avoid typical mistakes when expanding your team.

****What is Team Augmentation and Why Everyone’s Talking About It****

Developer augmentation is when you add external specialists to your team who work under your management. Sounds like outsourcing? Not at all.

The key difference: with outsourcing, you hand tasks to another company and wait for results. With augmentation, external developers become a part of your team. They participate in daily standups, communicate through Slack, and work in GitHub. Their salary just goes through a different company.

For example, there is a startup from Berlin that is developing a fintech application. And they have three full-stack developers, a designer, and a product manager. However, an investor unexpectedly shows up and requests a mobile version for the iPhone to be completed within two months. Hire two iOS developers the classic way? They won’t get it, no matter how hard you try. Instead, the team uses a team augmentation model, wherein, in a week, they get two experienced Swift developers who are already familiar with financial APIs and ready to code.

****When Augmentation Is Definitely Your Option****

Let’s be honest: staff augmentation is not a universal cure-all. If you need someone who will own the product strategy for years or shoulder cross-functional leadership, a direct hire still makes sense. Yet “cultural fit” is hardly a drawback of augmentation anymore; reputable vendors embed full-time engineers who share your values, participate in your rituals, and behave exactly like in-house teammates.

Software development staff augmentation works perfectly in these situations:

*   **Peak loads**. You received three large orders at the same time and need a quick team boost.
*   **Specific expertise**. If you need a Kubernetes specialist to set up complex infrastructure, but also to set up payments for a complex region or AI integration.
*   **Quick project start**. Classic example: you just received funding and want to quickly build an MVP. 
*   **Testing new technologies**. The company is considering moving from monolithic architecture to microservices. Instead of training the entire team on a new stack, you can bring in a couple of experienced architects on augmentation who will help with the transformation.
*   **Global scaling.** Planning to build a development hub in another country? An augmentation partner can hire locally and even help set up a satellite office, so you gain time-zone coverage without legal or HR headaches.

When executed well, augmented engineers attend your stand-ups, follow your coding standards, and grow with your roadmap. Use this model as a strategic lever to flex capacity, explore new markets, and keep your core team focused on what they do best.

****How to Choose the Right Model and Not Mess Up****

Development team augmentation can take different forms depending on your goals, budget, and the pace of your product’s growth. Below are three models that help determine what fits your situation best.

1.  **Gradual Team Expansion.** This approach involves adding one or several specialists step-by-step, integrating them into your workflow without major changes. It’s suitable when you have a limited budget, a moderate development pace, or specific tasks that don’t require a full team right away. The advantage is controlled growth and the ability to adjust the team composition as priorities shift.
2.  **Hiring a Small Cross-Functional Team.** This model works when you need to quickly cover multiple diverse tasks design, backend, frontend, testing, and more. It’s a good fit for a stable product where extra hands are needed, but the tasks themselves aren’t overly complex or don’t require long onboarding. The benefit is fast scaling without losing flexibility.
3.  **Building a Large Extended Team.** An ideal option for companies experiencing rapid growth: new funding, the start of a large product initiative, or the need to build an MVP in a short timeframe. In this case, you form a team capable of handling the entire development cycle and moving at high speed. This model offers maximum velocity and the ability to execute complex technical solutions.

The choice of team augmentation model depends on the amount of work, development prospects, and funding you are willing to commit to. Some start by hiring a single specialist to test the model and understand how it works. Later, they may move on to hiring a larger team once they are convinced that the model is delivering real results.

According to Newxel, an augmentation provider, choosing the right partner deserves separate attention. You can’t just Google “cheap developer augmentation” and hope for the best. It requires technical interviews, checking English proficiency, and providing a preselected pool of candidates. This process saves a significant amount of time

What to look for when choosing:

*   **Candidate selection process**. How does the company verify skills? Who conducts technical interviews? What percentage of candidates pass through the filters?
*   **Speed of closing vacancies**. Realistic terms are from a week to a month, depending on role complexity. If they promise to find a senior in three days, that’s a red flag.
*   **Geography and time zones**. A difference of 2-3 hours is still normal. When the team is in Kyiv, and the developer is in San Francisco, communication can be a problem, but if the goal is to save the budget, then, on the contrary, it is an advantage.
*   **Legal support.** A reputable augmentation provider assumes full responsibility for contracts, taxes, and compliance, whether that means Czech labor law today or Brazilian data-privacy rules (PDF) tomorrow, so your team can stay focused on shipping code.

By vetting vendors on these criteria, you minimize risk, maintain momentum, and keep the total cost of ownership predictable. Remember: the right model plus the right partner turns staff augmentation from a quick fix into a long-term strategic advantage.

****Integrating New People: The First Two Weeks Decide Everything****

The biggest mistake with development team augmentation is thinking you can just “throw” someone into a project and expect results. Even an experienced senior needs time to adapt.

*   **First day**. Access to everything: GitHub, Jira, Slack, documentation, and test environments. Sounds obvious, but the number of companies where a new person can’t do anything the first week due to lack of access is staggering.
*   **First week**. Onboarding sessions with key people. The architect talks about the system, the team lead explains processes, and the product shows the roadmap. A couple of hours of investment now will save weeks of questions later.
*   **First two weeks**. Simple but real tasks. Fix a bug, add a small feature, write a test. The goal: the person should do something useful and feel the taste of victory, while the team sees how the newcomer works.

Life hack: assign a mentor. Not necessarily the team lead, just someone from the team who can be approached with silly questions. This reduces stress for the newcomer and doesn’t overload the leads.

Regarding communication: if your team is used to the office and the augmented specialist works remotely, establish a rule that everything important is discussed in chats or video calls, so no one is left out.

****Managing an Augmented Team: Where the Pitfalls Hide****

Managing someone who technically isn’t your employee is a bit unusual at first. The main rule: treat augmented developers the same as your own employees. They should be aware of all processes, receive access to information, and feel like part of the team.

1.  **Sprints and planning**. Augmented team members participate in all ceremonies: planning, retros, and daily standups. If someone is absent from these meetings, they start working in a vacuum.
2.  **Feedback and KPIs**. Regular one-on-one meetings are critically important. Discuss what’s going well, where there are difficulties, and whether there’s enough context for work. Without this, you might not notice problems for months.
3.  **Cultural differences**. If you’re hiring developers from other countries, be prepared for differences in communication. What sounds like a direct question to a Ukrainian might seem rude to a German and too soft to an American.

Typical problem: the team perceives augmented specialists as “those contractors,” not full-fledged members. Result isolation, demotivation, and ultimately poor results. To avoid this, involve everyone in social activities: virtual coffee breaks, team games, and informal chats.

****Why Team Augmentation Often Wins Over In-House Hiring****

1.  **Lower Cost Without Losing Quality** – With access to talent from Ukraine, Poland, Romania, and other strong engineering hubs, companies in the UK, the Netherlands, Ireland, or the US can hire top-tier developers at significantly lower rates than local specialists without any compromise on skills or delivery quality.
2.  **Faster Hiring Process** – The average time to bring an augmented developer on board is just 2-4 weeks, not months. Augmentation allows you to start building almost immediately, while in-house hiring cycles often take much longer due to interviews, approvals, and notice periods.
3.  **Access to Rare or Highly Specialized Experts** – Augmentation gives you access to talent with rare skills that would otherwise be nearly impossible to hire directly. Many providers maintain deep pools of specialized professionals for exactly this reason.
4.  **External Expertise and Fresh Perspective** – Engineers who collaborate across multiple products and industries naturally build broader thinking and stronger problem-solving instincts. They can bring unconventional ideas, alternative architectural approaches, and improvements that internal teams may overlook due to lower “exposure” to diverse solutions.

Software development staff augmentation helps companies save money, hire faster, access rare talent, and bring fresh thinking into their product, all without the overhead of expanding the internal team.

****The Future of Augmentation: Hybrid Models and AI****

The main trend is hybrid models. Companies combine full-time employees, augmented specialists, and classic outsourcing depending on the task. For core functions staff, for new directions augmentation, and for routine outsourcing.

AI is also impacting the industry. On one hand, tools like GitHub Copilot make developers more productive, reducing the need for additional hands. On the other hand, AI creates demand for new roles: ML engineers, prompt engineers, and AI ethicists. These specialists are scarce, so augmentation becomes a logical way to attract them.

Another trend is globalization. Previously, companies looked for specialists in their country or neighboring countries. Now geography doesn’t matter. A startup from Seattle can have augmented developers from Ukraine, Argentina, and Portugal simultaneously.

****Conclusions: When to Act****

Development team augmentation is not a panacea but a tool. Powerful and flexible, but requires skill to use.

Suitable for you if:

*   You need specialists quickly (less than a month)
*   The project has clear deadlines and scope
*   You have experience managing remote teams
*   Budget is limited, and hiring risks are high

Not suitable if:

*   There are no onboarding processes
*   Project secrecy is critical
*   The team isn’t ready to work with external people

Finally, don’t wait for the perfect moment to experiment. Start with one specialist in a small role. See how it works in your context. Adapt processes. Scale it if it works. The market won’t wait for you to find the ideal candidate. Those who learn to effectively use augmentation now will have an advantage tomorrow. The choice is yours.

(Photo by Jeffery Ho on Unsplash)

Development Team Augmentation: A Strategic Approach for High-Performance Teams

A new malware called PyStoreRAT is being through fake OSINT tools on GitHub targeting IT and OSINT pros. Read Morphisec's report detailing how it uses AI and evades security.

A coordinated and new malware campaign is exploiting the popular developer platform, GitHub. The target? Professionals in IT administration, cybersecurity, and open-source intelligence (OSINT). This is according to a detailed research report by Morphisec Threat Labs on a previously unknown threat, dubbed PyStoreRAT.

For your information, PyStoreRAT is a Remote Access Trojan, which is a type of malicious program that gives an attacker secret, long-term control over a victim’s computer. Researchers observed that this campaign is different because it involves careful planning and uses tools created by Artificial Intelligence (AI) to appear legitimate.

****The AI-Assisted Supply Chain Attack****

The preemptive cyber defence firm Morphisec’s investigation revealed that the attackers’ smart strategy began over the last several months by reactivating dormant GitHub accounts, some of which had been inactive for years.

These accounts then started posting seemingly authentic, polished projects that were created using Artificial Intelligence (AI) to build immediate trust. These projects included useful software like OSINT tools, crypto trading bots (DeFi bots), and AI chat wrappers (GPT wrappers).

These convincing projects/repositories were so well-made that several quickly climbed high on GitHub’s trending lists. Only after gaining this traction and trust did the criminals introduce subtle code updates, disguised as simple ‘maintenance, to plant the PyStoreRAT backdoor.

One of the malicious tools being spread through GitHub (Image credit: Morphisec)

****PyStoreRAT- A Multi-Purpose, Evasive Threat****

Further investigation revealed that PyStoreRAT is designed for stealth and flexibility. It is multi-functional as it performs a full profile of the victim’s computer and can deploy other types of harmful software, including the infamous data-stealing malware like the Rhadamanthys stealer and Python Loader.

It is worth noting that the malware is highly adaptive. According to Morphisec’s research, it even switches its launch method when it detects certain security software like CrowdStrike Falcon or products from CyberReason and ReasonLabs to reduce its visibility. Moreover, the malware can spread through portable storage devices like USB drives and dynamically pulls new components directly from its operators.

Additionally, researchers found a circular, rotating system of control servers for the malware, which helps it quickly update its commands and makes it much harder to shut down. The presence of Russian-language strings in the code, such as the word “СИСТЕМА” (which means SYSTEM), suggests the overall operation is far “beyond typical GitHub-malware noise,” Morphisec’s malware researcher Yonatan Edri explained in the blog post shared with Hackread.com.

Attack flow (Image credit: Morphisec)

****List of Malicious GitHub Repositories****

Here is a list of all malicious GitHub repositories used in the campaign. The good news is that most of the repositories have been deleted by GitHub. The bad news is that a few are still available.

*   https://github.com/setls/HacxGPT
*   https://github.com/turyems/openfi-bot
*   https://github.com/bytillo/spyder-osint
*   https://github.com/gonflare/KawaiiGPT
*   https://github.com/tyreme/spyder-osint
*   https://github.com/gumot0/spyder-osint
*   https://github.com/rizvejoarder/SoraMax
*   https://github.com/Zeeeepa/spyder-osint
*   https://github.com/aiyakuaile/easy\_tv\_live
*   https://github.com/WezRyan/spyder-osint
*   https://github.com/Zeeeepa/spyder-osint2
*   https://github.com/Metaldadisbad/HacxGPT
*   https://github.com/Manojsiriparthi/spyder-osint
*   https://github.com/xhyata/crypto-tax-calculator
*   https://github.com/turyems/Pharos-Testnet-bot
*   https://github.com/adminlove520/VulnWatchDog
*   https://github.com/shivas1432/sora2-watermark-remover

This blending of AI-generated legitimacy, social engineering, cloud resilience, and adaptive execution is being called an “evolutionary step” in the world of online threats, making traditional security measures “fundamentally unreliable.” That’s why Morphisec emphasises that defenders responsible for safeguarding developer environments or sensitive data must understand how this malware works to safeguard systems

New PyStoreRAT Malware Targets OSINT Researchers Through GitHub

Disclosure: This article was submitted by PDFAid for publication.

Most people interact with PDF tools only at the surface level, such as selecting a file, clicking upload, waiting a few seconds, and then downloading a new optimised version. The process feels simple and almost instant. But what actually happens during those few seconds is far more involved.

Behind the scenes, PDFAid performs a rapid sequence of operations designed to analyse your document, break it down into parts, apply compression and optimisation rules, and then rebuild it so the final file is smaller, cleaner, and easier to work with.

This is the behind-the-scenes work that is hidden from view but which forms the core of what PDFAid does. Knowing what happens in those seconds helps explain how the tool preserves document quality, how it keeps working with big files, and how it can deliver consistent results with whatever type of PDF is uploaded. The full process is technical, but its purpose is very simple: to give users a fast, safe, and reliable way of optimising documents without having to understand such complexities.

****How the upload stage begins****

It all starts with the click of the upload button. PDFAid opens a safe connection, receives the file, and places it inside a protected environment for processing. This step in uploading is important, as it determines how quickly the system can begin analysing the content inside the PDF. Larger files will take a little bit longer to actually enter the system. However, upload speeds are impacted mostly by the user’s internet connection rather than the capabilities of PDFAid in processing. Once the file reaches the server environment, this is where the real work begins.

PDFs are containers that may hold a wide variety of information. A single file can be comprised of text, fonts, images, scanned elements, vector illustrations, embedded objects, annotations, and more. PDFAid has to understand what is inside the document before anything can be optimised. That is why the upload phase is closely followed by the analysis phase.

****How the system analyses your PDF****

The analysis step involved is the most detailed of the process. PDFAid starts off with scanning the file structure and identifying such components as text layers, embedded fonts, image objects, metadata fields, and layout instructions.

The system reads the internal map of the PDF, including the references to each page, what’s on the page, and how the elements relate to each other. It needs to decide if the text is selectable or is part of a scanned image. It needs to identify if images are high or low resolution. It needs to detect whether fonts are embedded or substituted. Every one of these details affects how the system will go ahead with optimisation.

This kind of structural analysis can also bring to light redundancies. Many PDFs contain duplicate resources such as repeated fonts, unused images, or unnecessary metadata, all on oversized graphic layers. PDFAid picks up these invisible elements as part of its preparations for slimming the file later on.

Instead of blindly compressing the document, the system classifies each element so that compression is intelligently applied, without it being at the expense of readability.

****How image optimisation works inside PDFAid****

Images are one of the largest contributors to PDF file size. Even a short document can become extremely large if it contains several high-resolution photos or full-page scanned images. PDFAid evaluates the resolution, colour depth and encoding method of each image in the file.

If an image is far larger than what’s required to view comfortably on a standard screen, PDFAid reduces its resolution to an appropriate amount while maintaining sharpness. This reduction is not arbitrary: it first measures the density of the original pixels, the layout size intended within the document, and the minimum resolution necessary to retain sharpness. Once those factors are determined, PDFAid applies compression to shrink file size without compromising quality.

Color images can be analysed for palette simplification. The system reduces colour noise or removes channels if possible. This should not change the visual appearance, of course. What is at stake is always the balance between file size and true-to-source clarity.

****How text and fonts are preserved****

Text is much lighter than images, but it still requires careful handling. When PDFAid detects embedded fonts, it checks to see if those fonts are used throughout the document or just in specific sections. Sometimes PDFs contain several fonts that, to the user, appear to be the same. PDFAid can combine such compatible font sets, which reduces digital overhead.

It maintains text as vector-based instructions, meaning it scales correctly and remains crisp even after compression. PDFAid does not convert text into images and does not flatten text layers. This means the final document remains fully selectable, searchable, and editable.

****How the engine handles scanned PDFs****

Scanned PDFs differ from the ones that are created digitally because they quite often have no text layers at all, but instead consist of full-page images. These can become very large, very fast, and require a different optimisation process.

PDFAid checks the resolution of every scanned page and searches for noise patterns, heavy backgrounds, or blank areas. Wherever possible, it removes grain, suppresses heavy backgrounds, and compresses the scanned layer to reduce size without rendering the text blurry. The system applies targeted optimisation page by page rather than a one-rule-for-the-whole-file approach.

This page-per-page approach ensures that the resulting output is clear and compact, thus being very convenient for any user dealing with big collections of scanned archives or bundles of documents.

****How PDFAid reduces internal file overhead****

Beyond visible content, many PDFs have a lot of hidden or redundant components. Some retain the history of their edits, unused objects, or leftover embedded resources from software tools that once edited them. These take up space without adding any value for the user.

PDFAid then removes unnecessary metadata, cleans up unused object references, consolidates duplicate resources, and restructures internal instructions to make the PDF more efficient. This cleaning step is invisible to the user but contributes considerably to the reduction in file size.

****How the system reconstructs the optimised PDF****

After content analysis and optimisation, PDFAid rebuilds the file page by page, applying updated compression rules, reinserting optimised images and fonts, and ensuring that the structure remains fully compliant with standard PDF viewing requirements.

By doing this, the reconstruction step ensures that the document will retain device, browser, and viewing-software compatibility. Every optimised PDF is structurally refreshed this way to ensure that the final product behaves exactly like the original, but smaller and more efficient.

****How PDFAid prepares the file for download****

The system moves the file to the download stage once it is optimised. PDFAid assembles the final document, verifies its integrity, and prepares a single downloadable file. This portion of the process happens quickly because the heaviest processing has already been done in the earlier steps.

Users can then download a clean, compressed PDF that retains the structure, clarity, and layout of the original. The result appears simple, but it represents a carefully orchestrated series of technical steps performed in seconds.

****Why does the whole process feel instant?****

Why PDFAid feels instant is because every step is highly optimised; the system uses parallel processing where possible, dividing tasks so that analysis, optimisation, and reconstruction work together efficiently. The platform is designed to handle many file types and sizes without slowing it down.

The process is complex, but the user only sees the result: an optimised PDF that is ready almost immediately after upload. 

From the time a file is uploaded to the time the completed document is downloaded, PDFAid performs an intricate set of operations. It locates every component of the PDF, optimises content based on type, eliminates extra elements, intelligently compresses and rebuilds a clean final file.

As far as the user is concerned, the interface is fast and easy; meanwhile, the complexity gets handled by the platform in the background. The behind-the-scenes process described enables PDFAid to provide consistently high-quality outputs in mere seconds. The tool combines speed, precision, and optimisation techniques to transform a heavy, unprocessed PDF into a lean, readable, and efficient final document without sacrificing clarity.

What Happens Inside PDFAid in Seconds: From Upload to Download

VS Code developers beware: ReversingLabs found 19 malicious extensions hiding trojans inside a popular dependency, disguising the final malware payload as a standard PNG image file.

Cybersecurity firm ReversingLabs (RL) has detected a sophisticated, long-running campaign targeting developers on the Visual Studio Code (VS Code) Marketplace. In total, 19 malicious extensions were found hiding a Trojan, with the campaign active since February 2025 and discovered on December 2.

For your information, VS Code is a key tool for many developers, making its Marketplace, where extensions (add-on features) are distributed, a prime target for cybercriminals. These findings came just a couple of weeks after a fake “Prettier” extension on the same marketplace was spotted dropping Anivia Stealer.

****The Dependency Trick****

According to RL Threat Researcher Petar Kirhmajer, the attackers used a classic Trojan technique where malicious software is disguised as something harmless. In this case, the malware was hidden inside an extension’s dependency folder, which is a necessary pre-packaged code an extension needs to run smoothly.

Attackers made a smart move. Instead of adding new code, they tampered with a highly popular, trusted dependency called path-is-absolute, which has gathered over 9 billion downloads since 2021.

Comparison of original and modified “path-is-absolute” package (credit: ReversingLabs)

By modifying this trusted package before bundling it into their rogue extensions, they added new code. This new code’s only job was to run immediately upon VS Code startup and decode a JavaScript dropper hidden in an internal file named lock. This means that users who blindly trusted the popular name in the dependency list would not find anything concerning.

****A Fake PNG File****

The final and most deceptive stage involved a file named banner.png. Although the .png extension suggests a standard image file, RL researchers noted that it was merely a disguise. When attempting to open it with a normal photo viewer, it showed an error message.

Further investigation revealed that banner.png was not an image but an archive containing two malicious binaries (the core parts of the malware). The decoded dropper then used the native Windows tool cmstp.exe to launch these binaries. The larger of the two is a complex Trojan, though its exact attack capabilities are still under review.

It is worth noting that several other malicious extensions in the campaign used a different dependency (@actions/io) and did not rely on the fake PNG file, splitting the binaries into separate .ts and .map files instead.

This research, published on December 10, 2025, and shared with Hackread.com, shows a rapid increase in threats. In the first ten months of 2025, malicious VS Code detections almost quadrupled, rising from 27 in 2024 to 105 this year.

Researchers confirmed that every one of the flagged extensions has been reported to Microsoft. Developers are urged to thoroughly inspect extensions, especially those with low downloads or few reviews, before installation.

Malicious Visual Studio Code Extensions Hide Trojan in Fake PNG Files

Zimperium zLabs reveals DroidLock, a new Android malware acting like ransomware that can hijack Android devices, steal credentials via phishing, and stream your screen via VNC.

A new mobile threat is allowing remote attackers to hijack Android devices, turning phones into surveillance tools and locking users out of their own data.

Cybersecurity researchers at the mobile security firm Zimperium’s zLabs discovered the campaign, dubbed DroidLock, which is currently targeting Spanish users through fake and malicious phishing sites.

Vishnu Pratapagiri, Zimperium’s security researcher and report author, noted that the malware acts much like ransomware (software that locks your device and demands payment), designed to perform “total takeover” of a victim’s device.

Once someone is tricked into installing it, DroidLock uses fake system update screens and other deceptive techniques to display a full-screen warning that pressures the victim to contact the attackers.

****How the Hijacking Works****

According to Zimperium’s research, shared with Hackread.com, this malicious program is highly organised, using 15 different commands to communicate with its C2 centre. What’s worth noting is that DroidLock does not actually encrypt files like typical ransomware, but it can still do major damage.

Furthermore, it exploits the device’s Device Administrator Permission to gain the ability to perform various fraudulent activities, such as “wipe the device entirely,” or change your PIN or password, locking you out permanently, Zimperium’s blog post reads.

One of the most concerning features is how it steals sensitive information. Researchers found that DroidLock uses dual overlay techniques (fake screens appearing over real apps) to illegally gather important details like screen unlock patterns and app credentials. It can also stream your screen and remotely control your device via VNC (Virtual Network Computing).

Another key feature is its ability to secretly capture and transmit all screen activity to a remote server, operating constantly in the background. This highly dangerous functionality allows attackers to steal any sensitive information shown on the device’s display, including login details or multi-factor authentication (MFA) codes. It can even capture the victim’s image with the front camera.

Ransomware-style overlay and admin contact information, Lock screen overlay appearing on the screen, and Malware requesting Accessibility Services (Image credit: Zimperium)

****Corporate Data Could Be at Risk****

This threat is particularly worrying because, as we know it, mobile devices are usually the least protected way employees access company information. A simple click on a deceptive link can lead to a “full device compromise,” which impacts both personal users and company data on work phones.

Research also revealed that DroidLock can remotely control every part of the phone. Zimperium researchers emphasise the need for better mobile protection, as a compromised phone becomes a “hostile endpoint” inside a corporate network.

New ‘DroidLock’ Android Malware Locks Users Out, Spies via Front Camera

Road Town, British Virgin Islands, 11th December 2025, CyberNewsWire

**Road Town, British Virgin Islands, December 11th, 2025, CyberNewsWire**

1inch, the leading DeFi ecosystem, has been selected as the exclusive swap provider at launch for Ledger Multisig, deepening the collaboration between the two projects. By integrating the 1inch Swap API into its security-first multisig architecture, Ledger, the world leader in digital asset security for consumers and enterprises, enables secure, seamless treasury swaps with full clear signing. This is a major leap forward in the security of on-chain treasuries.

Blind signing has long been a structural weakness in on-chain treasury management, where DAOs, funds, enterprises, and DeFi teams are often required to take unnecessary risk, when approving transactions. The combination of Ledger Multisig and the 1inch Swap API, overcomes this issue, allowing every swap to be reviewed in clear, human-readable form, bringing execution into the light and aligning it with established standards for governance and asset transfers.

Through this integration, there is no need for blind signing, thanks to structured, readable data via EIP-712. Users can review full transaction details on-device. 1inch’s Swap API provides Ledger Multisig users with verifiable swap routes, deep liquidity aggregation for competitive pricing, support for safe-compatible trades across multiple chains, and MEV-resistant execution paths.

Ledger is once again setting a new benchmark for security, this time for treasury operations. By pairing hardware-level assurance with a trusted execution layer, Ledger Multisig eliminates a major security blind spot in DeFi. Organizations can now manage assets, rebalance treasuries, and interact with DeFi with clarity, confidence, and uncompromising security.

In addition to bringing swaps to Ledger Multisig, 1inch is also adopting the signing technology to elevate its own security across its own treasury workflows. By utilizing Ledger Multisig, 1inch is creating and setting the standard for secure and seamless operations.

> “For the DeFi industry to mature, we must create self-custody tools that are both safer and simpler. This is something that both, 1inch and Ledger are focused on solving. Treasury management is just another area of crypto that through our collaboration, we have made feel effortless, without compromising on security,” **said Sergej Kunz, 1inch co-founder.**

> “Ledger Multisig is the easy solution for businesses moving money on-chain that want to use Ledger’s uncompromising security,” said **Sebastien Badault, EVP of Enterprise at Ledger**. “1inch has been a strong supporter of Ledger and understands the value of security. 1inch was early to support Clear Signing, direct connectivity with Ledger signers, and we’re delighted to have 1inch as the exclusive Swap provider at launch for Ledger Multisig.”

**About 1inch**

1inch accelerates decentralized finance with a seamless crypto trading experience for 26M users. Beyond being the top platform for low-cost, efficient token swaps with $500M+ in daily trades, 1inch offers a range of innovative tools, including a secure self-custodial wallet, a portfolio tracker for managing digital assets, a dedicated business portal giving access to its cutting-edge technology, and even a debit card for easy crypto spending. By continuously innovating, 1inch is simplifying DeFi for everyone. 

Website | 1inch Business | X | Blog

**About Ledger**

Celebrating its 10 year anniversary in 2024, Ledger is the world leader in Digital Asset security for consumers and enterprises. Ledger offers connected devices and platforms, with more than 8M devices sold to consumers in 165+ countries and 10+ languages, 100+ financial institutions and commercial brands. Over 20% of the world’s crypto assets are secured by Ledger. 

Ledger is the digital asset solution secure by design. The world’s most internationally respected offensive security team, Ledger Donjon, is relied upon as a crucial resource for securing the world of Digital Assets. With over 14 billion dollars hacked, scammed or mismanaged in 2023 alone, Ledger’s security brings peace of mind and uncompromising self-custody to its community.

**Contact**

**PR lead**  
**Pavel Kruglov**  
**1inch**  
**\[email protected\]**

1inch Named Exclusive Swap Provider at Launch for Ledger Multisig

Phishing campaign: Scammers sent over 40,000 spoofed SharePoint, DocuSign and e-sign emails to companies, hiding malicious links behind trusted redirect services.

A phishing campaign impersonating digital document platforms has reached more than 6,000 organisations in just two weeks, according to researchers at Check Point Research (CPR).

This phishing campaign used emails that were prepared to look like legitimate notifications from services like SharePoint and DocuSign, tricking recipients into clicking links that led to credential theft pages.

File-sharing and e-signing tools are part of daily operations for industries like banking, insurance, real estate, and consulting. By copying the style and tone of trusted platforms, the phishing messages appeared routine enough to pass as real. The subject lines, formatting, and even logos matched what users might expect from a legitimate alert.

Check Point researchers tracked over 40,000 phishing messages across the U.S., Europe, Canada, Asia, Australia, and the Middle East. Most targets operated in consulting, tech, and real estate, but the campaign also reached into healthcare, energy, education, and government sectors. These industries rely heavily on document exchanges, making the bait especially believable.

One key tactic used in the attack was redirect cloaking. The phishing links were routed through Mimecast’s URL rewriting service, which is often used to protect users from harmful websites.

In this case, attackers abused the system to make their links look trustworthy. Since Mimecast is a known cybersecurity platform, the rewritten links were less likely to trigger alarms either from email filters or the people reading the messages.

Another variation mimicked DocuSign notifications using a different path. Instead of Mimecast, the attackers used Bitdefender and Intercom’s infrastructure to wrap their links, hiding the real destination more effectively. In both versions, the goal was the same lead the user to a page where they would unknowingly hand over login details or sensitive information.

The visual design of the phishing emails was sharp enough to fool many. Some messages came from fake display names like “X via SharePoint (Online)” or “eSignDoc via Y,” while others used generic names like “SharePoint.” Embedded buttons and headers mirrored real services. The sender banked on the idea that a busy employee would click before thinking twice.

Phishing emails used in the campaign (Image via CPR)

Mimecast previously responded and also clarified for the latest campaign that no technical flaw in its systems was exploited. The attackers used its redirect feature to mask URLs but didn’t breach any security mechanisms.

Mimecast emphasised that its systems do scan and block malicious links both at delivery and when clicked. The company also referenced a more comprehensive analysis of similar phishing tactics available on its own platform.

Scammers Sent 40,000 E-Signature Phishing Emails to 6,000 Firms in Just 2 Weeks

Cary, North Carolina, USA, 11th December 2025, CyberNewsWire

**Cary, North Carolina, USA, December 11th, 2025, CyberNewsWire**

**As AI accelerates job transformation, INE supports organizations reallocating Q4 budgets to experiential, performance-driven upskilling.**

With **90% of organizations facing critical skills gaps** (ISC2) and AI reshaping job roles across cybersecurity, cloud, and IT operations, enterprises are rapidly reallocating L&D budgets toward hands-on training that delivers measurable, real-world performance. INE is uniquely positioned to support this shift, helping organizations invest their end-of-year budgets in scalable labs, simulations, and immersive learning experiences that strengthen workforce readiness ahead of 2026.

As organizations prepare for 2026, L&D teams are under pressure to justify spend with measurable outcomes. Traditional e-learning continues to grow, but enterprise buyers are shifting their dollars toward **hands-on, performance-based training**, where they see faster time-to-competency, higher retention, and clearer ROI. This is especially true in highly technical disciplines like cybersecurity, cloud, and IT operations, where real-world proficiency directly affects business resilience.

**End-of-Year Budgets Are Fueling a Shift Toward Experiential Learning**

With Q4 spend-down deadlines approaching, organizations are increasingly using remaining budget to invest in solutions that deliver immediate operational value. Certification-only programs, long a staple of enterprise L&D, struggle to address the speed and complexity of current technology industry demands.

Hands-on learning has become the preferred model for both learners and business leaders. The LinkedIn Workplace Learning Report notes that **74% of employees prefer experiential, hands-on learning** over passive methods. This shift reflects a broader recognition: enterprises need training that shortens onboarding time, builds confidence, and prepares employees for real scenarios—not just exams.

INE enables organizations to direct their end-of-year budgets toward:

*   **Real-world labs and simulations**
*   **Immersive, scenario-based learning**
*   **Skills pathways tied to practical performance**
*   **Adaptive training powered by AI**
*   **Continuously updated content aligned to emerging threats and technologies**

> “L&D leaders want training that improves readiness on day one,” said **Lindsey Rinehart, Chief Executive Officer at INE**. “End-of-year budgets are increasingly being deployed toward experiential learning because the impact is immediate, measurable, and directly tied to workforce performance.”

**Skills Gaps Are Intensifying Demand for Hands-On Training**

The global skills shortage has become one of the costliest operational risks organizations face, contributing to increased incidents, slower remediation, and rising burnout across technical teams. Research from IBM shows that skills gaps contribute to **82% of security breaches**, underscoring the need for training methods that build real-world capability—not just theoretical understanding.

Hands-on learning has proven to be the most reliable solution. Practice-based training delivers **up to 75% knowledge retention** (Learning Pyramid / LinkedIn Learning analysis), compared to just **5–20%** for lecture- or video-based programs, and can reduce time-to-competency by as much as 45%. These outcomes make immersive training essential for closing skills gaps quickly and sustainably.

**AI Adoption Is Accelerating the Move Toward Practice-First Learning**

AI-driven corporate training is expanding rapidly across North America, Europe, and Asia-Pacific, with strong growth projected through 2033 (LinkedIn Market Forecast). As AI transforms workflows, enterprises require training systems that adapt to learner proficiency, evaluate real-world performance, and continuously assess skills readiness.

INE’s platform aligns directly with these demands, delivering dynamic hands-on labs, intelligent analytics, and performance-based insights that organizations can scale globally.

**INE Positioned to Support 2026 Workforce Needs**

As organizations finalize their 2026 workforce development strategies, INE offers a proven, experiential training platform built to reduce operational risk and accelerate skills development. By directing end-of-year budgets toward hands-on training with INE, enterprises can:

*   **Reduce ramp-up time** **for technical teams**
*   **Validate skills with measurable, performance-based analytics**
*   **Increase workforce readiness and resilience**
*   **Support continuous upskilling for emerging technologies**
*   **Deploy scalable, real-world training globally**

> “Enterprises that invest their remaining Q4 budgets into hands-on, performance-driven learning will enter 2026 with stronger teams and significantly improved operational readiness,” said Rinehart.

INE Enterprise enables companies to turn training investments into measurable performance gains that directly support business resilience and growth.

**About INE Security**

INE Security is the premier provider of online networking and cybersecurity training and certification. Harnessing a powerful hands-on lab platform, cutting-edge technology, a global video distribution network, and world-class instructors, INE Security is the top training choice for Fortune 500 companies worldwide for cybersecurity training in business and for IT professionals looking to advance their careers. INE Security’s suite of learning paths offers an incomparable depth of expertise across cybersecurity and is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in an IT career.

**Contact**

**Chief Marketing Officer**  
**Kim Lucht**  
**INE**  
**\[email protected\]**

Source

HackRead