Versions of the package expand-object from 0.0.0 to 0.4.2 are vulnerable to Prototype Pollution in the expand() function in index.js. This function expands the given string into an object and allows a nested property to be set without checking the provided keys for sensitive properties like __proto__.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-4vjr-hfpp-2m7w: expand-object Vulnerable to Prototype Pollution via the expand() Function

Versions of the package spatie/browsershot from 0.0.0 to 5.0.3 are vulnerable to Server-side Request Forgery (SSRF) in the setUrl() function due to a missing restriction on user input, enabling attackers to access localhost and list all of its directories.

GHSA-qw64-6vcc-8ghx: Browsershot Server-Side Request Forgery (SSRF) via setURL() Function

All versions of the package react-draft-wysiwyg are vulnerable to Cross-site Scripting (XSS) via the Embedded button which will then result in saving the payload in the <iframe> tag.

GHSA-fq5x-7292-2p5r: React Draft Wysiwyg Cross-Site Scripting (XSS) via the Embedded Button

Versions of the package bigint-buffer from 0.0.0 to 1.1.5 are vulnerable to Buffer Overflow in the toBigIntLE() function. Attackers can exploit this to crash the application.

GHSA-3gc7-fjrx-p6mg: bigint-buffer Vulnerable to Buffer Overflow via toBigIntLE() Function

A hacker, previously linked to the Tracelo breach, now claims to have breached Twilio’s SendGrid, leaking and selling data on 848,000 customers, including contact and company info.

A hacker using the alias Satanic is claiming responsibility for what could be a major breach involving SendGrid, a cloud-based email delivery platform owned by **Twilio**.

According to a post made earlier today, Thursday, April 3, 2025, on Breach Forums, a popular cybercrime platform, Satanic is offering the allegedly stolen data for $2,000 and has shared a sample to support the claim. In the post, the hacker stated:

> _“We would like to announce the breach of the largest Email Hosting Provider – SendGrid is cloud-based email infrastructure provides businesses with email delivery management. (3 April 2025).”_

Screenshot credit: Hackread.com

****What’s allegedly included in the breach?****

Satanic claims the database includes full customer and company information for 848,960 entities. Hackread.com’s research team analysed the sample data provided by the hacker, which included the following information:

*   Customer emails, phone numbers, physical addresses, cities, states, countries, social media profiles, and LinkedIn IDs

*   Company-level data such as domain names, revenue, employee counts, SEO performance, hosting providers, and rankings from services like Cloudflare and Tranco

*   Financials like revenue, operating income, net income, and other business metrics

*   Employee data and some public-facing executive details

*   Information on company tech stacks, including CMS platforms, payment solutions, and CRM tools

Additionally, among the companies listed in the sample data are Bank of America, Bazaarvoice, and the BBC. The data appears to be structured and highly detailed and includes dozens of metadata fields that go far beyond just contact information.

Each entry features web analytics metrics, internal email addresses (including those of high-level staff), phone numbers, geolocation data, and even insights into backend technologies and accessibility compliance. If the data is authentic, this could be more than a traditional leak.

Sample data leaked by the hacker (Screenshot credit: Hackread.com)

****Satanic’s track record****

This isn’t the first time that Satanic has been tied to a major data breach. In September 2024, the same hacker was behind the **Tracelo incident**, where personal data on 1.4 million users of a smartphone geolocation tracking service was leaked online. Beyond high-profile breaches, Satanic is also known in underground communities for distributing infostealer logs via Telegram.

****Twilio’s recent breach history****

This would also not be the first time Twilio, SendGrid’s parent company, has been associated with data exposures. **On July 4, 2024**, the hacker group ShinyHunters leaked a dataset containing 33 million phone numbers belonging to users of Twilio Authy, a two-factor authentication app.

Then, **in September 2024**, a separate breach exposed 12,000 call records through a third-party tool used by a Twilio customer. While neither incident confirmed a direct compromise of Twilio’s infrastructure, they did raise questions about data security.

****Still unconfirmed****

At the time of writing, Hackread.com has reached out to Twilio for comment. It’s important to note that these are unverified claims made by a hacker, and no official confirmation has been issued by Twilio or SendGrid.

However, given the nature of the sample and the profile of the individual making the claims, security teams and impacted organizations may want to take a closer look.

This is a developing story.

Hacker Claims Twilio’s SendGrid Data Breach, Selling 848,000 Records

Hazel highlights the key findings within Cisco Talos’ 2024 Year in Review (now available for download) and details our active tracking of an ongoing campaign targeting users in Ukraine with malicious LNK files.

Thursday, April 3, 2025 14:03

Welcome to this week’s edition of the Threat Source newsletter. 

They say art is subjective, but have you ever seen a well-formatted bar chart? Van Gogh had _Starry Night_, but Talos’ 2024 Year in Review (available now!) has color-coded data with perfect labels. True beauty. 

If you haven’t yet had a chance to fully digest this gorgeous report (massive shout-out to our creative team), here are some links. Clicking on them may not change your life, but what if it does? Only one way to find out: 

Our Year in Review landing page houses all our Year in Review content, from videos to podcasts and topic summaries. There's more content coming out every week this month. Oh, you can also download the report itself here, which is useful. 

Here’s a two-minute animated overview. Watch those bad boy bar charts come to life. 

The TTP: Year in Review Special (Part 1) is inspired by The Last of Us in more ways than you might think. We have a two-part video interview with the report’s authors, featuring me calling cybercriminals “cheeky f\*\*\*\*\*s." Part 2 is coming out tomorrow, April 4th. 

This Beers with Talos B team episode genuinely caused someone to direct message me, citing their spouse’s concerns about their laughter levels when listening (“Are you okay?”). 

A couple of the report’s top findings: 

*   Ransomware actors overwhelmingly leveraged valid accounts for initial access in 2024, with this tactic appearing in almost 70 percent of Cisco Talos Incident Response cases. 
*   Operators endeavored to disable targets’ security solutions in most of the Talos IR cases we observed, almost always succeeding. 
*   Some of the top-targeted network vulnerabilities affect end-of-life (EOL) devices and therefore have no available patches, despite still being actively targeted by threat actors.

**The one big thing **

Cisco Talos is actively tracking an ongoing campaign targeting users in Ukraine with malicious LNK files, which run a PowerShell downloader. The file names use Russian words related to the movement of troops in Ukraine as a lure. Talos assesses with medium confidence that this activity is associated with the Gamaredon threat actor group. 

**Why do I care? **

The invasion of Ukraine is a common theme used by the Gamaredon group in their phishing campaigns and this campaign continues the use of this technique. The actor distributes LNK files compressed inside ZIP archives, usually disguising the file as an Office document and using names that are related to the invasion. 

**So now what? **

Ways our customers can detect and block this threat are listed in this dedicated blog post.

**Top security headlines of the week**

**Gootloader Malware Resurfaces in Google Ads for Legal Docs**: Attackers target law professionals by hiding the infostealer in ads delivered via Google-based malvertising. (Dark Reading) 

**UK threatens £100K-a-day fines under new cyber bill:** The tech secretary revealed the landmark legislation's full details for first time. (The Register) 

**Hacker linked to Oracle Cloud intrusion threatens to sell stolen data**: The alleged breach was linked to a critical vulnerability (Cybersecurity Dive) 

**WordPress attackers hide malware in overlooked plugins directory**: The Must-Use plugins (mu-plugins) directory is used to store essential plugins that are necessary for a site to run properly. (SC Magazine)

**Can’t get enough Talos? **

I mean, bless you if that’s the case, because the Year in Review links in the opening section are probably enough to keep you going. But if you’re still thirsty for more, here’s what the press have been making of the Year in Review findings: 

*   **CNET:** Phishing Emails Aren't as Obvious Anymore. Here's How to Spot Them
*   **The Register**: Ransomware crews add 'EDR killers' to their arsenal - and some aren't even malware
*   **SiliconANGLE**: Cisco Talos report finds identity-based attacks drove majority of cyber incidents in 2024
*   **CyberScoop:** Identity lapses ensnared organizations at scale in 2024

**Upcoming events where you can find Talos**

*   RSA (April 28 – May 1) San Francisco, CA  
*   PIVOTcon (May 7 – 9) Malaga, Spain  
*   CTA TIPS 2025 (May 14 – 15) Arlington, VA  
*   Cisco Live U.S. (June 8 – 12) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA 256:** **9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection  

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**   
MD5: 7bdbd180c081fa63ca94f9c22c457376  Typical Filename: c0dwjdi6a.dll   VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991

**SHA 256:** **5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1**   
MD5: 3e10a74a7613d1cae4b9749d7ec93515    
VirusTotal: https://www.virustotal.com/gui/file/5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1   
Typical Filename: IMG001.exe    
Claimed Product: N/A    
Detection Name: Win.Dropper.Coinminer::1201 

**SHA256:** **47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca**  
MD5: 71fea034b422e4a17ebb06022532fdde     
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details  
Typical Filename: VID001.exe     
Claimed Product: N/A     
Detection Name: Coinminer:MBT.26mw.in14.Talos

One mighty fine-looking report

Cybersecurity researchers at Jscamblers have uncovered a sophisticated web-skimming campaign targeting online retailers. The campaign utilizes a legacy…

Cybersecurity researchers at Jscamblers have uncovered a sophisticated **web-skimming** campaign targeting online retailers. The campaign utilizes a legacy application programming interface (**API**) to validate stolen credit card details in real time before transmitting them to malicious servers. This technique allows attackers to ensure they are only harvesting active and valid card numbers, significantly increasing the efficiency and potential profit of their operations.

According to Jscrambler’s analysis, shared with Hackread.com, this web-skimming operation has been ongoing since at least August 2024. The attack starts with the injection of malicious JavaScript code, designed to mimic legitimate payment forms, into the checkout pages of targeted websites. This code captures customer payment information as it is entered. The second phase involves obfuscation using a base64-encoded string, which conceals crucial URLs from static security analyses, such as those performed by Web Application Firewalls (**WAFs**).

The key innovation in this campaign lies in its use of a deprecated version of the **Stripe API**, a popular payment processing service, to verify the card’s validity before the data is sent to the attackers’ servers. In the third stage, the legitimate Stripe iframe is concealed and replaced with a deceptive imitation, and the “Place Order” button is cloned, hiding the original. The entered payment data is validated using Stripe’s API, and card details, if confirmed, are quickly transmitted to a drop server controlled by the attackers. The user is then prompted to reload the page following an error message.

Researchers have identified that affected online retailers are primarily those using popular e-commerce platforms like **WooCommerce**, **WordPress**, and **PrestaShop**. They also observed **Silent Skimmer** variants, but not consistently.  Around 49 affected merchants, a figure suspected to be an underestimate, were identified, along with two domains used to serve the attack’s second and third stages. An additional 20 domains on the same server were also detected. Jscrambler reported that 15 of the compromised sites had addressed the issue.

Further probing revealed that the skimmer scripts are dynamically generated and tailored to each targeted website, indicating a high degree of sophistication and automated deployment. Researchers employed a brute-forcing technique, manipulating the Referrer header, to identify additional victims.

In one instance, the skimmer impersonated a Square payment iframe while in some other instances, the skimmer injected payment options, such as cryptocurrency wallets, dynamically inserting fake **MetaMask** connection windows. The wallet addresses associated with these attempts showed little to no recent activity, though.

In their **blog post**, researchers have warned Merchants to implement real-time webpage monitoring solutions to detect unauthorized script injections, whereas Third-Party Service Providers (TPSPs) can enhance security by adopting hardened iframe implementations to prevent iframe hijacking and form modifications.

Screenshot of the Iframed fake square payment form

“Jscrambler’s research team continues to track this campaign, and we urge all online merchants to prioritize security measures against client-side threats,” researchers concluded.

Hackers Exploit Stripe API for Web Skimming Card Theft on Online Stores

A vulnerability was found in InternLM LMDeploy up to 0.7.1. It has been classified as critical. Affected is the function load_weight_ckpt of the file lmdeploy/lmdeploy/vl/model/utils.py of the component PT File Handler. The manipulation leads to deserialization. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.

GHSA-7vc5-mjwp-c8fq: LMDeploy Improper Input Validation Vulnerability

pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers execute any arbitrary HTML/JavaScript in a user's browser through query result rendering, then HTML/JavaScript runs on the browser.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-2rrx-pphc-qfv9: pgAdmin 4 Vulnerable to Cross-Site Scripting (XSS) via Query Result Rendering

Jacksonville, United States, 3rd April 2025, CyberNewsWire

**Jacksonville, United States, April 3rd, 2025, CyberNewsWire**

Secure Ideas, a premier provider of penetration testing and security consulting services, proudly announces its recent achievements of CREST accreditation and CMMC Level 1 compliance, reinforcing its commitment to delivering the highest standards of security assessment and regulatory compliance for its clients.

With these certifications, Secure Ideas strengthens its ability to deliver globally recognized, standards-based offensive security services, specializing in identifying vulnerabilities, exploiting weaknesses, and exposing gaps in critical systems.

****CREST Accreditation: Excellence in Penetration Testing****

Secure Ideas’ achievement of CREST (Council for Registered Ethical Security Testers) accreditation underscores its adherence to the highest legal, ethical, and technical standards in penetration testing. CREST-accredited organizations undergo rigorous evaluations of their business processes, security methodologies, and quality assurance frameworks.

As a CREST-certified penetration testing provider, Secure Ideas ensures that all penetration tests—whether network, web application, API, or physical security—are conducted following established best practices in scoping, reconnaissance, assessment, exploitation, and reporting. This certification provides clients with increased assurance that their security posture is being evaluated using proven methodologies by experienced professionals.

****CMMC Level 1 Compliance: Protecting DoD Information****

In addition to CREST certification, Secure Ideas has also achieved Cybersecurity Maturity Model Certification (CMMC) Level 1. Developed by the Department of Defense (DoD) to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), CMMC requires defense contractors and subcontractors to implement cybersecurity standards at progressively advanced levels.

CMMC Level 1 focuses on the basic safeguarding of FCI by ensuring compliance with 15 security requirements outlined in FAR clause 52.204-21. These requirements include essential practices such as:

*   Limiting access to authorized users.
*   Protecting physical and digital access to information.
*   Implementing secure configurations for devices and systems.

CMMC compliance has become a mandatory requirement for organizations working with the DoD. By achieving Level 1 compliance, Secure Ideas strengthens its position to support defense contractors and subcontractors in meeting their own compliance obligations.

**Key Benefits for Clients:**

*   **Globally Recognized Standards:** Testing and security services aligned with internationally recognized frameworks.
*   **Enhanced Security Assurance:** CREST and CMMC compliance ensure robust protection of sensitive data.
*   **Regulatory Compliance Support:** Certifications align with GDPR, ISO 27001, PCI DSS, and NIS Regulations, helping clients meet regulatory requirements.

**About Secure Ideas**

Secure Ideas is a leading provider of adversarial cybersecurity solutions and services, dedicated to helping businesses of all sizes protect their information and assets from cyber threats. With a team of experienced and skilled professionals, Secure Ideas offers innovative products and services designed to meet the unique security needs of organizations in a rapidly evolving digital landscape. For more information, users can visit secureideas.com.

**Contact**

**COO**  
**Andrew Kates**  
**Secure Ideas**  
**\[email protected\]**  
**9049628046**

Tag

#auth