INTERPOL disrupts 20,000 infostealer domains in major cybercrime crackdown across Asia-Pacific, 32 arrested, 216K victims notified in Operation Secure.

An international cybercrime operation coordinated by INTERPOL has led to the takedown of more than 20,000 malicious IPs and domains used to deploy infostealer malware across the Asia-Pacific region.

Dubbed Operation Secure, the four-month crackdown (January to April 2025) brought together law enforcement from 26 countries and private cybersecurity partners to disrupt a growing cybercriminal infrastructure built around data-stealing malware. The effort also led to 32 arrests, 41 server seizures and the collection of over 100 GB of criminal data.

****A Clear Target: Infostealers****

Infostealer malware has become a go-to tool for cybercriminals seeking quick access to personal and corporate information. Once installed, it quietly extracts browser credentials, email logins, cookies, crypto wallet data and more. This information is then sold on underground marketplaces, fueling a wide range of attacks including ransomware, business email compromise (BEC) and online fraud.

“Logs stolen by infostealers are often the starting point for wider breaches,” said INTERPOL Cybercrime Director Neal Jetton. “Cutting off these initial access points disrupts larger criminal operations.”

****Private Sector Intelligence Key to Operation****

The operation was powered by cyber intelligence reports from Group-IB, Kaspersky and Trend Micro. These reports helped INTERPOL and national agencies identify suspicious infrastructure ahead of time, contributing to a 79% takedown rate of the flagged IPs.

The Hong Kong Police played a critical role by analyzing over 1,700 leads and identifying 117 command-and-control servers spread across 89 internet service providers. These servers were used to coordinate phishing scams, social engineering attacks and account takeovers.

****Arrests, Raids and Seized Evidence****

Vietnamese authorities arrested 18 suspects, including a ringleader found with business registration documents, SIM cards and more than 300 million dong (about USD 11,500) in cash. Evidence suggests the group was involved in creating and selling corporate accounts.

Further arrests came from Sri Lanka and Nauru, where coordinated raids led to the detention of 14 individuals and the identification of 40 victims. Devices were seized from both homes and workplaces, pointing to structured cybercriminal operations rather than lone hackers.

****Victim Notification and Follow-up****

After dismantling infrastructure, authorities alerted over 216,000 victims and potential victims. Those notified were urged to change passwords, secure email accounts, freeze compromised financial services and scan their devices.

Via INTERPOL

Operation Secure was conducted under the ASPJOC (Asia and South Pacific Joint Operations Against Cybercrime) framework. Participating countries ranged from large players like India and Japan to smaller island nations including Kiribati, Vanuatu and Tonga, highlighting a region-wide commitment to fighting cybercrime at all levels.

While infostealer operations continue to spread, the results of this crackdown show that even widely distributed criminal infrastructure can be disrupted with the right mix of intelligence, speed and cross-border cooperation.

Operation Secure: INTERPOL Disrupts 20,000 Infostealer Domains, 32 Arrested

AppOmni research reveals over 20 security vulnerabilities, including zero-days, in the Salesforce Industry Cloud. Learn about critical risks, customer responsibilities, and how to protect sensitive data.

A recent investigation by security research firm AppOmni has brought to light more than twenty security weaknesses within Salesforce‘s Industry Cloud products. These findings, shared with Hackread.com, include several critical, previously unknown vulnerabilities, known as zero-days, which have been given a high-risk rating.

The research, led by AppOmni’s Chief of SaaS Security Research, Aaron Costello, highlights how simple setup mistakes by users can expose sensitive information and lead to serious security problems.

For your information, Salesforce Industry Clouds are designed to help businesses in areas like healthcare, finance, and telecommunications build custom solutions quickly, even for those without deep technical skills. This low-code approach makes development fast, but it also means users have a responsibility to set up the platform securely.

Costello’s research revealed that basic settings and common but unsafe practices could allow unauthorized access to encrypted data, enable session stealing, and expose login details and business information.

Five of the critical vulnerabilities have been assigned CVEs (Common Vulnerabilities and Exposures), with three already fixed and two needing action from customers to resolve. Sixteen other setup risks remain the customer’s responsibility to fix.

****Understanding the Risks****

The security problems found affect important parts of Salesforce, such as FlexCards, Data Mappers, and Integration Procedures. These components are used to handle and display data within the platform. For example, some issues found could allow people without the right permissions to see encrypted data or bypass security checks.

This means sensitive information like names, addresses, financial records, and even healthcare data could be at risk. Attackers could also steal login information, potentially gaining access to other company systems.

Specifically, five serious vulnerabilities (CVE-2025-43697, CVE-2025-43698, CVE-2025-43699, CVE-2025-43700, and CVE-2025-43701) were identified in FlexCards and Data Mappers. Four of these are rated as high severity.

One vulnerability, CVE-2025-43697, found in Data Mapper, could expose encrypted information if not handled properly. The FlexCard vulnerabilities include issues where field-level security can be ignored (CVE-2025-43698), required permissions can be bypassed (CVE-2025-43699), encrypted data can be viewed by unauthorized users (CVE-2025-43700), and custom settings data can be exposed (CVE-2025-43701).

****Customer Action is Key****

Approximately a quarter of AppOmni’s customers use Salesforce Industry Clouds, highlighting the widespread impact of these findings. It’s crucial for organizations using these services to review and secure their configurations immediately.

Salesforce has worked with AppOmni to address these issues. While Salesforce has provided fixes for some issues, many of the identified risks require customers to make specific changes to their settings. This approach is vital to prevent attackers from exploiting these weaknesses. AppOmni has also released tools to help customers detect these misconfigurations in their Salesforce Industry Cloud setups.

Aaron Costello, chief of SaaS Security Research at AppOmni emphasized the need for better security practices in SaaS applications, noting that misconfigured SaaS apps are a significant yet often overlooked risk.

“My research highlights how simple misconfigurations can create serious risks, not just within Industry Cloud but across an organization’s entire Salesforce environment. By understanding these risks and applying best practices, companies can fully leverage Industry Cloud’s capabilities without exposing themselves to unnecessary threats,” Costello noted.

Salesforce Industry Cloud Hit by 20 Vulnerabilities Including 0days

June 2025 Patch Tuesday fixes 66 bugs, including a zero-day in WebDAV. Update Windows, Office, and more now to block active threats.

Microsoft’s June Patch Tuesday update has landed, bringing security fixes for 66 vulnerabilities across its product line. Among the patched flaws is one that was already being exploited in real-world attacks, making this month’s updates particularly important for both enterprises and individual users.

****One Zero-Day Actively Exploited****

The standout fix addresses CVE-2025-33053, a vulnerability in the WebDAV component of Windows. This flaw could allow attackers to execute code remotely if exploited correctly. Since it was already being used in attacks before today’s patch release, it falls into the “zero-day” category.

The WebDAV vulnerability affects both Windows 10 and Windows 11, along with related server versions. While Microsoft has not disclosed the full details of the attacks, they have confirmed that the bug was found in use in the wild.

****10 Critical Issues Fixed****

In addition to the zero-day, Microsoft patched 10 vulnerabilities rated Critical, which generally means they allow remote code execution or elevation of privilege without much user interaction. These include four bugs in Microsoft Office, which continue to be a regular target for attackers looking to send malicious documents through email.

Other products receiving fixes include Microsoft Edge, Power Automate, .NET, and components of Windows itself. While none of the other issues were reported as actively exploited, several are marked as more likely to be targeted in the near term.

****Windows Update Details****

The updated packages are available now and include:

*   **Windows 11**: KB5060842 (22H2 and 23H2)

*   **Windows 10**: KB5060533 and KB5060999

*   **Windows Server versions**: Also updated, depending on the build in use.

Admins should check their update management systems to confirm rollout and assess any compatibility concerns that may arise from the latest patches.

****Why This Month Matters****

The quick exploitation of CVE-2025-33053 once again shows how fast attackers move when new vulnerabilities are disclosed. While zero days often make headlines, the other fixes should not be ignored. Several of this month’s bugs involve components often exposed to the internet or frequently used in enterprise environments.

Companies that delay patching are not just risking data theft but also the cost of recovery from ransomware, which often begins with bugs like the ones patched today.

Nick Carroll, cyber incident response manager at Nightwing, the intelligence solutions company divested from RTX, commented on the Patch Tuesday event, stating, _“_There are a couple of vulnerabilities for the Windows Common Log File System (CVE-2025-32701 and CVE-2025-32706) which are Priv Esc vulnerabilities. Those aren’t critical, which means some organizations won’t prioritize patching them as quickly as they probably should. And if you look at what tends to get a lot of attention, critical vulnerabilities catch all the buzz,” noted Nick.

_“_But we see real world attacks abusing that Windows Log File subsystem pretty regularly. In fact, Nightwing has defended against exploits in the Windows Common Log File System in real world attacks last month related to the recently patched CVE-2025-29824 where the threat actors were abusing Living-off-the-Land tactics in conjunction with the exploit,” he added.

****What to Do Now****

*   **Apply all available June updates as soon as possible**, especially for systems using WebDAV

*   **Review your Office file handling policies**, especially if users frequently receive documents from outside the organization

*   **Monitor network traffic** for signs of suspicious activity linked to WebDAV or other patched services

*   **Test in staging environments** before rolling out company-wide, especially in environments with older or customized software stacks

Microsoft’s full advisory can be found on its official security update guide. Patching quickly remains one of the simplest and most effective defences against many forms of cyberattacks.

June 2025 Patch Tuesday: Microsoft Fixes 66 Bugs, Including Active 0-Day

Akamai's latest report reveals two Mirai botnets exploiting the critical CVE-2025-24016 flaw in Wazuh. Learn about these fast-spreading IoT threats and urgent patching advice.

Cybersecurity experts at Akamai have uncovered a new threat: two separate botnets are actively exploiting a critical flaw in Wazuh security software, open source XDR and SIEM solution, to spread the Mirai malware.

This vulnerability, tracked as CVE-2025-24016, affects Wazuh versions 4.4.0 through 4.9.0 and has since been fixed in version 4.9.1. It lets attackers run their own code on a target server by sending a specially crafted request through Wazuh’s API, hence, allowing attackers to take control of affected servers remotely.

It is worth noting that this is the first time active attacks using this vulnerability have been reported, highlighting a concerning trend where cybercriminals quickly turn newly discovered flaws into tools for their campaigns.

****Two Botnets, One Goal****

The technical report, shared with Hackread.com, reveals that Akamai’s Security Intelligence and Response Team (SIRT) first noticed suspicious activity in their global network of honeypots in March 2025, just weeks after the flaw was made public in February 2025.

The team identified two distinct botnets leveraging this exploit. The first botnet began its attacks in early March, using the vulnerability to download and run a malicious script. This script then pulls down the main Mirai malware, which is designed to infect a wide range of Internet of Things (IoT) devices.

These Mirai variants, sometimes named morte, are identifiable by a unique message they display, such as lzrd here_._ These initial attacks used the same authorization details as a publicly available proof of concept (PoC) exploit, meaning attackers quickly adapted known information.

The second botnet emerged in early May 2025, also spreading a Mirai variant called resgod. This botnet caught attention because its associated online addresses (domains) featured Italian-sounding names, like gestisciweb.com, which means manage web. This could suggest the attackers are specifically trying to target devices owned by Italian-speaking users. The resgod malware itself carries the clear message, “Resentual got you!”

****Beyond Wazuh: Other Exploited Flaws****

While the Wazuh vulnerability is the primary focus, the botnets weren’t limited to it. Akamai observed these malicious groups attempting to exploit several other well-known security flaws. These included older vulnerabilities in systems like Hadoop YARN, TP-Link Archer AX21 routers (CVE-2023-1389), Huawei HG532 routers (CVE-2017-17215), and ZTE ZXV10 H108L routers (CVE-2017-18368). This shows that the attackers use a broad approach, trying to infect systems through any available weakness.

Akamai’s report warns that it remains relatively easy for criminals to reuse old malware code to create new botnets. The speed at which this Wazuh flaw was exploited after its disclosure underlines how critical it is for organizations to apply security patches as soon as they become available.

Unlike some vulnerabilities that only affect outdated devices, CVE-2025-24016 specifically targets active Wazuh servers if they are not updated. Akamai strongly advises all users to upgrade to Wazuh version 4.9.1 or later to protect their systems.

Two Mirai Botnets, Lzrd and Resgod Spotted Exploiting Wazuh Flaw

OpenAI, a leading artificial intelligence company, has revealed it is actively fighting widespread misuse of its AI tools…

OpenAI, a leading artificial intelligence company, has revealed it is actively fighting widespread misuse of its AI tools by malicious groups from countries like China, Russia, North Korea, and Iran.

In a new report released earlier this week, OpenAI announced it has successfully shut down ten major networks in just three months, demonstrating its commitment to combating online threats.

The report highlights how bad actors are using AI to create convincing online deceptions. For instance, groups connected to China used AI to post mass fake comments and articles on platforms like TikTok and X, pretending to be real users in a campaign called Sneer Review.

This included a false video accusing Pakistani activist Mahrang Baloch of appearing in a pornographic film. They also used AI to generate content for polarizing discussions within the US, including creating fake profiles of US veterans to influence debates on topics like tariffs, in an operation named Uncle Spam.

North Korean actors, on the other hand, crafted fake resumes and job applications using AI. They sought remote IT jobs globally, likely to steal data. Meanwhile, Russian groups employed AI to develop dangerous software and plan cyberattacks, with one operation, ScopeCreep, focusing on creating malware designed to steal information and hide from detection.

An Iranian group, STORM-2035 (aka APT42, Imperial Kitten and TA456), repeatedly used AI to generate tweets in Spanish and English about US immigration, Scottish independence, and other sensitive political issues. They created fake social media accounts, often with obscured profile pictures, to appear as local residents.

AI is also being used in widespread scams. In one notable case, an operation likely based in Cambodia, dubbed Wrong Number, used AI to translate messages for a task scam. This scheme promised high pay for simple online activities, like liking social media posts.

The scam followed a clear pattern: a “ping” (cold contact) offering high wages, a “zing” (building trust and excitement with fake earnings), and finally, a “sting” (demanding money from victims for supposed larger rewards). These scams operated across multiple languages, including English, Spanish, and German, directing victims to apps like WhatsApp and Telegram.

OpenAI actively detects and bans accounts involved in these activities, using AI as a ‘force multiplier’ for its investigative teams, the company claims. This proactive approach often means many of these malicious campaigns achieved little authentic engagement or limited real-world impact before being shut down.

Adding to its fight against AI misuse, OpenAI is also facing a significant legal challenge regarding user privacy. On May 13, a US court, led by Judge Ona T. Wang, ordered OpenAI to preserve ChatGPT conversations.

This order stems from a copyright infringement lawsuit filed by The New York Times and other publishers, who allege OpenAI unlawfully used millions of their copyrighted articles to train its AI models. They argue that ChatGPT’s ability to reproduce, summarize, or mimic their content without permission or compensation threatens their business model.

OpenAI has protested this order, stating it forces the company to go against its commitment to user privacy and control. The company highlighted that users often share sensitive personal information in chats, expecting it to be deleted or remain private. This legal demand creates a complex challenge for OpenAI.

OpenAI Shuts Down 10 Malicious AI Ops Linked to China, Russia, Iran, N. Korea

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

Phishing attackers abuse TLDs like .li, .es, and .dev to hide redirects, steal credentials, and bypass detection. See top domains flagged by ANY.RUN in 2025.

Some phishing sites don’t need fancy tricks, just the right domain name. And you won’t always spot it until it’s too late.

Hackers have become masters at abusing certain Top-Level Domains (TLDs), like .com, .ru, or .dev, to host phishing pages, fake login portals, or malware redirects. While many TLDs are used for legitimate purposes, others are repeatedly exploited to trick users into handing over sensitive information.

Recent sandbox data from ANY.RUN highlights the **20 TLDs most frequently used in phishing campaigns** in 2025. These domains are central to fake delivery scams, credential harvesting pages, and multi-stage redirect chains.

****Which TLD is the Most Abused by Attackers?****

According to ANY.RUN’s 2025 data, the **.li** domain ranks #1 in phishing abuse by ratio. An alarming **57%** of observed .li domains were flagged as malicious. But here’s the twist: many of them don’t host phishing content directly. Instead, .li is widely used as a **redirector;** a middleman that sends unsuspecting users to fake login pages, malware downloads, or credential harvesting sites.

These indirect roles in phishing chains often go unnoticed by detection tools, making .li a quiet but dangerous enabler in many attacks.

Top 20 phishing TLDs observed inside ANY.RUN sandbox analysis sessions

For instance, in this ANY.RUN analysis session, we see a .li domain in action. At first glance, it seems harmless. 

View analysis session

.li domain observed inside the interactive sandbox

As soon as it loads, the browser is quietly redirected from the .li domain to a .com version of the same name, maintaining a sense of legitimacy before finally landing on a phishing page tied to a crypto-mining scam. 

There’s no flashy malware or obvious warning sign, just a quick, invisible switch that hands the user over to an attacker-controlled site.

Phishing page detected by ANY.RUN sandbox

This kind of redirection tactic makes .li especially slippery. But it can be easily spotted inside the ANY.RUN sandbox, where analysts can **trace every redirection in real-time**, uncover hidden phishing paths, and extract critical IOCs before users ever click the link. Because the malicious content often lives one hop away, tools that rely only on domain blacklists or static scans frequently miss it.

Gain control over phishing investigations with full redirection paths, behaviour traces, and real-time analysis. Start analyzing with ANY.RUN.

****Other Commonly Abused TLDs in Phishing Campaigns****

While .li tops the list by ratio, it’s far from the only domain zone being misused by attackers. Several others stand out due to the **high frequency and recurring use in phishing campaigns**.

****.es: Fake Logins and Delivery Scams****

.es, Spain’s country code TLD, has become a popular choice for attackers running credential phishing and fake delivery scams. Phishing pages using .es often mimic familiar services like Microsoft 365 or postal couriers, tricking users into entering their login credentials or payment information. The domains feel local and trustworthy, making them especially dangerous for Spanish-speaking users.

Phishing attack using fake Microsoft attack with .es domain

****.sbs: Cheap Domains for Credential Harvesting****

Because .sbs domains are incredibly cheap to register, attackers use them for quick-hit phishing campaigns. These domains often host fake tracking pages, urgent payment requests, or impersonate corporate portals, each crafted to steal login details or credit card numbers. The low barrier to entry makes .sbs a go-to for disposable phishing infrastructure.

Malicious activity with .sbs domain detected by ANY.RUN

****.cfd: Frequently Used in Phishing Kits****

Another budget TLD, .cfd shows up often in phishing kits posing as document sharing or government portals. These sites may appear to be PDF viewers or tax forms but are designed to harvest sensitive information, usually corporate credentials or ID data.

Since the branding is generic and the sites are throwaway, attackers can spin them up in bulk.

Phishing attack with .cfd domain observed inside interactive sandbox

****.ru: Familiar-Looking but Malicious****

Despite being a legitimate country-code domain, .ru remains a common sight in malicious campaigns. Many phishing actors use it to lend a sense of credibility, especially when targeting users in or near Russia. It’s frequently used to host fake login forms or distribute malware disguised as software downloads.

.ru domain with a fake Microsoft login page detected by ANY.RUN

****.dev: Abused via Trusted Platforms****

.dev domains are often tied to Google’s hosting services, such as pages.dev and workers.dev, giving them an automatic layer of legitimacy through HTTPS and clean interfaces. Phishing pages hosted here can look polished and professional, making them harder to distinguish from real services, even for tech-savvy users. This makes .dev a powerful tool for impersonating SaaS platforms or cloud services.

Workers.dev abused by attackers

****The Fastest Way to Uncover Phishing Threats****

Interactive sandboxes like ANY.RUN allows security teams to safely detonate suspicious URLs, monitor real-time redirections, and expose phishing behaviour as it unfolds. With verdicts in under 40 seconds, analysts can quickly understand whether a domain is benign, malicious, or part of a broader campaign.

Key benefits for SOC teams:

*   **Trace full redirect chains** – Follow every jump, even when the initial domain appears harmless or masked behind a short link.
*   **Uncover phishing kits, credential stealers, and scam pages** – See phishing behaviour in action, including form captures, fake login flows, and injected scripts.
*   **Extract IOCs and artefacts automatically** – Get domain names, URLs, IPs, dropped files, and more without manual digging.
*   **Reduce investigation time and false positives** – Use behaviour-based verdicts to make faster, more confident decisions.
*   **Inspect phishing pages across platforms** – Identify threats targeting Windows, Android, Linux, and web environments from a single interface.
*   **Simulate real user behaviour** – Interact with phishing pages to trigger hidden actions like redirects, pop-ups, or fake login prompts.
*   **Generate shareable reports instantly** – Export evidence and IOC-rich reports for incident response, team handoffs, or client notifications.

20 Top-Level Domain Names Abused by Hackers in Phishing Attacks

Getty Images accuses Stability AI of illegally using its content to train AI models in a high-stakes London…

Getty Images accuses Stability AI of illegally using its content to train AI models in a high-stakes London trial. Stability AI calls the lawsuit an “overt threat” to the generative AI industry.

London’s High Court began hearing a major legal case on June 9, 2025, involving Getty Images and Stability AI. This highly anticipated trial, expected to last three weeks, is being called “the most significant case to reach the High Court” by leading intellectual property lawyers.

****The Dispute****

At the heart of the case is Getty Images’ accusation that Stability AI, a London-based developer of generative AI systems, illegally collected millions of Getty’s copyrighted images without permission, hence breaching copyright laws.

Getty, a prominent visual media company and stock photography licensor, alleges that Stability AI copied and altered content from its website, gathered via the LAION-5B dataset, which includes billions of image-text pairs scraped from various websites including Getty’s, to train its Stable Diffusion model. This model can create new, synthetic images based on user commands.

Getty points to Stability AI’s UK presence and English-language website as evidence of targeting UK users, arguing that Stability altered its content by adding noise and creating further copies during the decoding process for training, all without consent.

Additionally, Getty claims that not just images created by Stable Diffusion copied significant portions of their copyrighted content, these sometimes even displayed Getty’s watermarks. They also allege that if users provide Getty images as prompts, the AI’s output can be almost identical.

This landmark case extends beyond just copyright. Getty also alleges trademark infringement and database rights infringement. They claim Stability AI used Getty’s registered trademarks, “GETTY IMAGES” and “ISTOCK” in both the training data and the generated outputs.

****Stability AI’s Counter Claims:****

Stability admits using some Getty images for training but argues the training happened outside the UK. It denies infringement, stating that it didn’t use Getty’s trademarks in the course of trade and its generated images don’t use Getty’s copyrighted works, so, any similarities are accidental since users are responsible for any copying, not the platform itself.

Additionally, Getty’s claim that Stability AI unlawfully extracted and reused a significant portion of its database content for AI training, is challenged by questioning the validity of Getty’s asserted database rights.

Stability lawyer Hugo Cuddigan states that Getty’s lawsuit is “an overt threat” to its business and the broader generative AI industry. Its spokesperson claims that artists using their tools are creating works based on “collective human knowledge,” which aligns with “fair use and freedom of expression.”

However, Lindsay Lane, Getty Images’ lawyer, clarified that their case is not against technology but against the use of copyrighted works “without payment,” asserting that AI and creative industries can coexist.

****Impact on AI and Creativity****

This case has emerged at a time when creative industries are grappling with the implications of AI models trained on existing copyrighted material. Legal experts believe this case is expected to deliver one of the first substantive judgments in the global wave of AI-related intellectual property disputes.

Legal expert Iain Connor, an intellectual property partner at Michelmores LLP, shared his comment with Hackread.com, emphasizing the case’s importance in setting boundaries for copyright in the AI era.

“This is the most significant AI case to reach the English High Court. The legal community is waiting with bated breath to see how far the judgment will go to rule on the legality or otherwise of the use of AI models.”

“The case is much more nuanced than ‘big tech vs creative industries’ and the legal arguments are even more nuanced as one of the big issues to be determined is ‘where did the ingestion of information which allegedly infringes Getty Images take place?” added Iain.

“The judge may take the opportunity to rule widely on the lawfulness of AI’s use of ‘input materials” and whether “AI output” infringes third-party rights,” he explained. _“_Alternatively, the decision could be a damp squib and deal with the case on the narrow jurisdictional issue of where Stability AI trained its AI model which, if outside the UK, could leave us without a meaningful verdict.”

Getty Images Sues Stability AI for Using Its Photos to Train AI Models

Explore how learning management systems (LMS) software supports safe online learning, protects employee data, and ensures compliance in…

Explore how learning management systems (LMS) software supports safe online learning, protects employee data, and ensures compliance in corporate training. 

Online training has taken off these days, particularly with the popularity of remote and hybrid work settings. The 2024 Training Industry Report shows that 34% of small businesses and 36% of larger organizations are now maximizing virtual or computer-based methods to train and enhance their teams. The transition to online learning has sped up significantly, completely changing how companies nurture their talent. (1)  

This article explains how modern LMS software supports secure employee learning and what features businesses should prioritize when selecting a platform.  

****Why Secure Online Learning Matters**  **

If you’ve ever handled employee records, certifications, or internal training materials, you already know the risks of exposing these pieces of information. Data breaches and unauthorized access are real threats that can cost you dearly. Even a single and minor security breach can lead to legal penalties, damage your reputation, and worst of all, lose the trust of your employees and clients.  

The stakes are even higher for global organizations. Privacy laws like GDPR have strict guidelines on how personal data should be handled, and failing to observe them can lead to fines of up to 4% of your annual revenue. (2)  

According to TalentLMS, a secure LMS software provider since 2012, LMS must provide features like encryption, access controls, and audit trails. All these are designed to help organizations meet regulatory requirements while keeping sensitive information safe.

****How LMS Software Supports Security**  **

Modern learning management systems are designed with multiple layers of security protocols to help reduce risks. Here are several ways they ensure your data stays safe:  

****Following Global Security Standards**  **

Dependable LMS providers follow internationally recognized security standards. Two of the most important certifications you should look for are ISO/IEC 27001:2013 and ISO 9001:2015.  

The ISO/IEC 27001:2013 standard protects information assets through effective risk management. This means organizations should have strong controls in place and have effective plans for handling security issues.  

ISO 9001:2015, on the other hand, focuses on quality management systems. It ensures the LMS provider follows strict development processes to avoid problems caused by software bugs or inconsistent updates that hackers could exploit. 

Think of it as a dual strategy: ISO 27001 secures your data, and ISO 9001 ensures the software is built with attention to quality and dependability. Choosing an LMS that aligns with these standards means teaming up with a provider dedicated to global best practices. 

If your organization operates in or serves clients within the European Union, complying with GDPR is a must. Even companies based outside the EU often embrace GDPR principles to build trust and simplify their international dealings. A GDPR-compliant LMS guarantees that personal data is handled legally, transparently, and for specific purposes.  

Here are some key features to consider:  

*   **Explicit consent management:** Employees must consent to data collection and be clearly informed how their information will be utilized.

*   **Data minimization:** The LMS should only gather what’s necessary, with no unnecessary employee details. 

*   **Right to erasure:** Users can request the deletion of their data, and the platform must comply within strict timeframes.

An LMS built with the GDPR principles ensures that privacy is prioritized at every step.  

****Applying Quality and Security Best Practices**  **

Beyond certifications and compliance, top-tier LMS platforms should integrate security into their DNA. Here’s what that looks like in practice:  

*   **Regular security audits:** Auditors should spot vulnerabilities before they can be exploited. Look for providers who perform penetration tests and code reviews. These audits mimic real-world attacks to uncover any weak spots. If a vulnerability is discovered, the vendor should fix it immediately and record how they resolved it. 

*   **Secure infrastructure:** Your data should be encrypted both while it’s being transmitted and when it’s stored. Adding multi-factor authentication (MFA) can also lower your chances of being targeted by hackers by an impressive 99%. For instance, even if a hacker manages to steal a password, they’ll still need a one-time code sent to the employee’s phone to get into the system. (3) 

*   **Role-based access controls (RBAC):** Not every user needs full admin rights. RBAC limits access to sensitive features based on job roles, which helps reduce insider threats. For example, a training manager might be able to upload content but wouldn’t have the ability to export employee data. Similarly, an external contractor might only be able to view certain courses without having access to internal reports. 

*   **Continuous monitoring:** Real-time threat detection systems can flag suspicious activities, such as multiple failed login attempts or unusual data downloads. 

These practices come together to form a “defence in depth” strategy and make it extremely harder for attackers to find a weakness. 

****Takeaway**  **

When you invest in the right LMS software, you can successfully protect sensitive data, observe global regulations, and promote a culture of security awareness. Focus on platforms that meet ISO standards, respect and follow GDPR principles, and integrate security at every level of their design. 

**References:** 

1.  “68 Training Industry Statistics: 2025 Data, Trends & Predictions”, Source: https://research.com/careers/training-industry-statistics  
2.  “The Consequences of Non-Compliance with Data Protection Regulations on Business Analytics”, Source: https://www.researchgate.net/publication/386409782\_The\_Consequences\_of\_Non-Compliance\_with\_Data\_Protection\_Regulations\_on\_Business\_Analytics  
3.  “Multifactor Authentication”, Source: https://www.cisa.gov/topics/cybersecurity-best-practices/multifactor-authentication

How LMS Software Supports Secure Online Employee Learning

Malicious npm packages found with hidden endpoints that wipe systems on command. Devs warned to check dependencies for express-api-sync, system-health-sync-api.

Security researchers have identified two npm packages that do far more than they claim. Disguised as utilities for system monitoring and data syncing, these packages introduce destructive backdoors that can remotely wipe out all files in a developer’s application, on demand.

Socket’s Threat Research Team exposed the malicious packages, express-api-sync and system-health-sync-api, both published under the npm account “botsailer.” While the names suggest harmless functionality, the underlying code tells a much darker story.

****A Dangerous Disguise****

According to the company’s technical report shared with Hackread.com, the express-api-sync package presents itself as a simple tool for syncing databases. But instead of syncing anything, it injects a hidden HTTP POST endpoint (/api/this/that) into any Express app that includes it.

Once triggered with the hardcoded key “DEFAULT\_123,” it executes the Unix command rm -rf *, effectively erasing everything in the application’s current directory, source code, configs, user uploads, and even local databases.

This attack activates silently. No logs, no console output, and thanks to an empty error handler, no indication if the route registration fails. Most developers wouldn’t notice anything unusual until it’s too late.

****Sophisticated Threat****

While express-api-sync is destructive, system-health-sync-api takes things further. It’s structured like a real system monitor, complete with a functioning health check, SMTP integration, and dynamic support for Express, Fastify, and even raw HTTP servers.

Beneath the surface, it gathers server data, hostname, IP, process ID, and environment hash, and sends it via email to a hardcoded address: anupm019@gmailcom. It even logs backend URLs, helping attackers map server infrastructure.

This package supports cross-platform file deletion: rm -rf * for Unix-based systems and rd /s /q . for Windows, a command that doesn’t just delete files, it wipes the current directory entirely.

****Built-In Command and Control****

The backdoor can be triggered via two POST endpoints (/_/system/health and /_/sys/maintenance), each requiring the secret key “HelloWorld.” Developers might think the configuration is customizable, but default values ensure the attacker’s access works unless settings are explicitly overridden.

Email is used as a covert control channel. SMTP credentials are baked into the package, masked with Base64 encoding but easily decoded. When the system starts, the malware checks connectivity to the mail server. If successful, it confirms that the attacker’s command channel is active.

****How It Works Behind the Scenes****

1.  **Reconnaissance**: A GET request to /_/system/health returns system info.
2.  **Dry Run (optional)**: If configured, attackers can test without causing damage.
3.  **Destruction**: A POST request with the right key triggers full file deletion.
4.  **Notification**: Email alerts are sent with detailed server fingerprints and backend URLs.

The package even adjusts responses to help attackers understand when keys are incorrect, offering hints on proper usage.

Analysis of the malicious express-api-sync package by Socket’s AI-powered scanner (Via Socket)

Most supply chain attacks focus on stealing data or cryptocurrency. These two packages aim for destruction. It’s a shift in motivation, from profit to sabotage. Attackers now appear more interested in taking systems offline, collecting infrastructure intel, or disrupting competitors. And they’re building tools that can sit dormant, gather information, and activate when least expected.

The use of middleware makes this even more dangerous. Middleware runs on every request and often has full access to app internals. These packages exploit that trust, quietly embedding routes with the power to destroy an entire production environment.

Jim Routh, Chief Trust Officer at Saviynt, commented on the latest development, stating, “This is a case of a software supply chain compromise using malware designed to appear to be benign that then activates a back door once it is embedded. The key for enterprises is to improve the identity access management for everyone with access to the software build process including employees and contractors.”

Developers and DevOps teams should review their dependencies immediately. Use behavioural scanning tools that inspect what packages do, not just what they claim. Traditional scanners miss these threats because they don’t look at runtime behaviour.

Hidden Backdoors in npm Packages Let Attackers Wipe Entire Systems

A Chroma database operated by Russian AI chatbot startup My Jedai was found exposed online, leaking survey responses…

A Chroma database operated by Russian AI chatbot startup My Jedai was found exposed online, leaking survey responses from over 500 Canva Creators. The exposed data included email addresses, feedback on Canva’s Creator Program, and personal insights into the experiences of designers across more than a dozen countries.

The data exposure was discovered by cybersecurity firm UpGuard, which confirmed the database was publicly accessible and lacked authentication. While much of the database stored generic or public data, one particular collection stood out: it contained responses to a detailed survey issued to Canva Creators, a global group of content contributors to the design platform.

The survey data included 571 unique email addresses and detailed responses to 51 questions, covering topics such as royalties, user experience, and AI adoption. Some email addresses appeared multiple times, indicating that users had completed the survey more than once.

According to UpGuard’s report shared with Hackread.com ahead of publishing on Monday, this incident is the first known leak involving a Chroma database, a technology used to help chatbots reference specific documents when responding to queries.

The database, hosted on an IP address in Estonia, appeared to be controlled by My Jedai, a small Russian company that provides AI chatbot services. Users of the platform can upload documents of any type to power their chatbots, often without much technical oversight.

The presence of Canva data in this context raised questions about how sensitive information ends up in AI training systems or chatbot backends. Although Chroma is not inherently insecure, it requires proper configuration to prevent public exposure. In this case, the database was left wide open to the internet.

Canva responded to the findings with a statement to Hackread:

> _“We recently became aware that a file containing email addresses and survey responses from a small group of Canva Creators was uploaded to a third-party website. The information was not connected to Canva accounts or platform data in any way. The database owned by the third-party site was not adequately secured, which led to the information being accessible.”_
> 
> _“The issue was reported to us by a security researcher, who discovered the exposed information using specialist tools, but is not broadly accessible to regular internet users, nor was it indexed by popular search engines. We’ve confirmed the file contents have been removed, and site logs show it was not accessed by others.”_
> 
> _“We’ve already contacted the affected Creators and are complying with all our legal obligations, including notifying regulators where required. We’re deeply invested in keeping our community’s data safe and secure, and we’re reviewing our processes to help prevent this from happening again.”_
> 
> _\-Canva spokesperson_

While there’s no indication that the data has been misused, experts point out that even limited personal information combined with survey content can be useful for targeted phishing attempts. Respondents shared details about their professional roles, creative habits, and satisfaction with the Canva platform, information that could be exploited if placed in the wrong hands.

My Jedai, the company whose database was exposed, is a microenterprise founded in Russia. It allows users to build chatbots powered by their own documents. The company was quick to act once notified and secured the exposed database within a day of UpGuard’s outreach.

The leak shows how AI technologies are creating new, unpredictable channels for data exposure. As more companies adopt tools like Chroma to power customer-facing bots or internal assistants, the pressure to push data into these systems can lead to shortcuts and mistakes.

This case also highlights how widely AI tools are being used around the world, often in unexpected ways. Data collected in surveys by an Australian tech giant ended up in an unsecured database managed by a small Russian firm, hosted on servers in Estonia. With the increasing use of LLMs and third-party chatbot tools, traditional boundaries for data custody are becoming harder to track.

UpGuard noted that many of the documents in the database were harmless or even nonsensical, including “mystical doctrines” and romantic advice scraped from public websites like Marie Claire and WikiHow.

However, the presence of real-world corporate data, including internal chat transcripts and links to restricted file-sharing platforms, shows how easy it is for more sensitive content to slip into AI systems without proper protection.

Source

HackRead