Plus: China’s Salt Typhoon hackers target 600 companies in 80 countries, Tulsi Gabbard purges CIA agents, hackers knock out Iranian ship communications, and more.

As students returned to school this week, WIRED spoke to a self-proclaimed leader of a violent online group known as “Purgatory” about a rash of swattings at universities across the US in recent days. The group claims to have ties to the loose cybercriminal network known as The Com, and the alleged Purgatory leader claimed responsibility for calling in hoax active-shooter alerts.

Researchers from multiple organizations warned this week that cybercriminals are increasingly using generative AI tools to fuel ransomware attacks, including real situations where cybercriminals without technical expertise are using AI to develop the malware. And a popular, yet enigmatic, shortwave Russian radio station known as UVB-76 seems to have turned into a tool for Kremlin propaganda after decades of mystery and intrigue.

But wait, there’s more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**DOGE Put Social Security Data on a Vulnerable Server, Whistleblower Says**

Since it was first created, critics have warned that the young and inexperienced engineers in Elon Musk’s so-called Department of Government Efficiency (DOGE) were trampling over security and privacy rules in their seemingly reckless handling of US government data. Now a whistleblower claims that DOGE staff put one massive dataset at risk of hacking or leaking: a database containing troves of personal data about US residents, including virtually every American’s Social Security number.

The complaint from Social Security Administration chief data officer Charles Borges, filed with the Office of the Special Counsel and reviewed by The New York Times, states that DOGE affiliates explicitly overruled security and privacy concerns to upload the SSA database to a cloud server that lacked sufficient security monitoring, “potentially violating multiple federal statutes” in its allegedly reckless handling of the data. Internal DOGE and SSA communications reviewed by the Times shows officials waving off concerns about the data’s lack of sanitization or anonymization before it was uploaded to the server, despite concerns from SSA officials about the lack of security of that data transfer.

Borges didn’t allege that the data was actually breached or leaked, but Borges emphasized the vulnerability of the data and the immense cost if it were compromised. “Should bad actors gain access to this cloud environment, Americans may be susceptible to widespread identity theft, may lose vital health care and food benefits, and the government may be responsible for reissuing every American a new Social Security number at great cost,” Borges wrote.

**China’s Salt Typhoon Hackers Targeted 600 Companies, FBI Says**

Nearly 10 months have passed since the revelation that China’s cyberespionage group known as Salt Typhoon had penetrated US telecoms, spying on Americans’ calls and texts. Now the FBI is warning that the net cast by those hackers may have been far broader than even previously thought, encompassing potential victims in 80 countries. The bureau’s top cyber official, Brett Leatherman, told The Wall Street Journal and The Washington Post that the hackers had shown interest in at least 600 companies, which the FBI notified, though it’s not clear how many of those possible targets the hackers breached or what level of access they achieved. “That global indiscriminate targeting really is something that is outside the norms of cyberspace operations,” Leatherman told the Journal. The FBI says that Salt Typhoon’s telecom hacking alone resulted in the spies gaining access to at least a million call records and targeted the calls and texts of more than a hundred Americans.

**Purges and Cuts Leave CIA Officers on a Short Political Leash**

Days after Donald Trump’s Alaska summit with Vladimir Putin, the White House moved to gut its own intelligence ranks. A senior CIA Russia analyst—29 years in service and slated for a coveted overseas post—was abruptly stripped of her clearance, The Washington Post reported. She was one of 37 officials forced out under an August 19 memo from Director of National Intelligence Tulsi Gabbard. The order listed no infractions. To colleagues, it looked like a loyalty purge. The firings have reportedly unsettled the CIA’s rank and file, sending a message that survival depends on hewing intelligence to fit the president’s views.

On Monday, Gabbard unveiled what she calls “ODNI 2.0,” a restructuring that cuts more than 500 positions and shutters or folds whole offices she deems redundant. The Foreign Malign Influence Center and the Cyber Threat Intelligence Integration Center are being pared back, while the National Intelligence University will be absorbed into the Pentagon’s defense school. Gabbard says the plan will save $700 million a year and depoliticize intelligence. Critics noted, however, a fact sheet published by Gabbard on Monday itemized only a fraction of those savings, and tjeu warned that the overhaul could hollow out the very coordination ODNI was created post-9/11 to provide—discarding expertise and leaving the intelligence fragmented at a time of escalating threats.

DOGE Put Everyone’s Social Security Data at Risk, Whistleblower Claims

A vulnerability in **Next.js Image Optimization** has been fixed in **v15.4.5** and **v14.2.31**. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on `images.domains` or `images.remotePatterns` are encouraged to upgrade and verify that external image sources are strictly validated.

More details at [Vercel Changelog](https://vercel.com/changelog/cve-2025-55173)

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   GitHub Spark New
        
        Build and deploy intelligent apps
        
    *   GitHub Models New
        
        Manage and compare prompts
        
    *   GitHub Advanced Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-55173

**Next.js Content Injection Vulnerability for Image Optimization**

Moderate severity GitHub Reviewed Published Aug 29, 2025 in vercel/next.js • Updated Aug 29, 2025

**Affected versions**

< 14.2.31

\>= 15.0.0, <= 15.4.4

**Patched versions**

14.2.31

15.4.5

**Description**

A vulnerability in **Next.js Image Optimization** has been fixed in **v15.4.5** and **v14.2.31**. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

**References**

*   GHSA-xv57-4mr9-wg8v
*   vercel/next.js@6b12c60
*   http://vercel.com/changelog/cve-2025-55173

Published to the GitHub Advisory Database

Aug 29, 2025

Last updated

Aug 29, 2025

**EPSS score**

GHSA-xv57-4mr9-wg8v: Next.js Content Injection Vulnerability for Image Optimization

Amazon on Friday said it flagged and disrupted what it described as an opportunistic watering hole campaign orchestrated by the Russia-linked APT29 actors as part of their intelligence gathering efforts.
The campaign used "compromised websites to redirect visitors to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft's device code

Amazon Disrupts APT29 Watering Hole Campaign Abusing Microsoft Device Code Authentication

Google has revealed that the recent wave of attacks targeting Salesforce instances via Salesloft Drift is much broader in scope than previously thought, stating it impacts all integrations.
"We now advise all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised," Google Threat Intelligence Group (GTIG) and

Google Warns Salesloft OAuth Breach Extends Beyond Salesforce, Impacting All Integrations

CISA has added three actively exploited vulnerabilities in Citrix and Git to its KEV Catalogue. Federal agencies must…

CISA has added three actively exploited vulnerabilities in Citrix and Git to its KEV Catalogue. Federal agencies must patch the flaws by September 15, 2025.

The US government’s Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its list of flaws that are actively being exploited by hackers, warning federal agencies to patch them immediately. The urgent alert, issued on August 25, 2025, covers two vulnerabilities in Citrix Session Recording and a major flaw in Git, the popular code management system.

These vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) Catalogue, a public list of security issues that are confirmed to be under attack. While the mandate to fix these vulnerabilities applies directly to federal government agencies, CISA strongly urges all private organisations to treat these as a top priority for remediation to protect against cyber threats.

****Flaws in Citrix and Git****

Two of the newly added vulnerabilities, identified as CVE-2024-8068 and CVE-2024-8069, affect Citrix Session Recording. Both of these flaws have a CVSS score of 5.1, which is considered a medium-severity rating.

Reportedly, these flaws could allow an attacker who is already inside a network to take over a system and run malicious code. The vulnerabilities can only be exploited by an authenticated user on the same network, meaning a hacker needs to have a foothold inside the system first. Citrix released security patches for both of these issues back in November 2024.

The third vulnerability, CVE-2025-48384, affects Git, a tool that millions of developers use to manage and share their code. This particular flaw, which was given a high severity score of 8.1, stems from how Git handles certain text characters in its configuration files.

An attacker could exploit this by composing a malicious file that, when a user clones a repository, could lead to a silent and unexpected code execution on their machine. A proof-of-concept for this exploit was released by Datadog shortly after it was patched by Git in July 2025.

****The Call to Action****

To comply with Binding Operational Directive (BOD) 22-01, all US Federal Civilian Executive Branch agencies must fix these vulnerabilities by September 15, 2025. CISA emphasises that all organisations should make it a practice to regularly review the KEV Catalogue and prioritise fixing the flaws listed, as they represent the most immediate and significant risks being exploited in the wild.

In a comment shared with Hackread.com, Gunter Ollmann, CTO of Cobalt, emphasised the importance of this alert for everyone. He explained that even moderate security flaws can become highly dangerous when hackers have access to reliable tools to exploit them.

“Organisations should treat the KEV catalogue as a living threat intelligence feed, prioritising remediation of these vulnerabilities because they represent what attackers are actively exploiting today,” he stated.

This highlights that the vulnerabilities on this list are not just theoretical risks; they are the active weapons in an attacker’s arsenal right now.

CISA Adds Citrix and Git Flaws to KEV Catalogue Amid Active Exploitation

Miami, United States, 28th August 2025, CyberNewsWire

**Miami, United States, August 28th, 2025, CyberNewsWire**

Halo Security, a leading provider of external risk management solutions, today announced significant platform enhancements designed to give security teams greater flexibility and control within the platform. The new features include custom dashboards, configurable reports, and improved automation capabilities that give organizations better control over how they visualize and manage their exposure data.

> “No two organizations are the same, and different team members face different challenges,” said Lisa Dowling, CEO of Halo Security. “A vulnerability analyst needs different insights than a compliance manager, and a CISO requires different views than a security specialist. These updates give every team member the ability to create personalized dashboards and reports that make them more effective at protecting their organizations.”

**Key Platform Enhancements**

**Custom Dashboards with Drag-and-Drop Functionality**

Security professionals can now build personalized dashboards using more than a dozen customizable widgets, including risk score trends, critical findings tables, asset distribution charts, and compliance status monitors. The intuitive drag-and-drop interface allows users to create role-specific views while maintaining the ability to share dashboards across teams and apply global filtering across all custom views.

**Configurable Reports for Enhanced Asset Management**

The platform now features fully customizable data tables that allow users to select which columns display in their target lists, create multiple saved views for different scenarios, and resize columns to optimize their workflow. Pre-configured views include summary, scan schedule, tag management, and technical details options.

**Improved Auto-Tagging with Granular Control**

The Halo Security platform now provides more precise control over asset organization. Automations now offer three distinct tagging modes, allowing users to sync, add, or remove tags based on the defined rules. The improved automation system offers better performance and predictability to ensure consistent asset categorization.

**Industry Impact**

The cybersecurity industry continues to grapple with tool sprawl and workflow inefficiencies that can slow response times to critical security incidents. Security teams often struggle with managing multiple tools and platforms, creating challenges in data correlation and workflow management.

> “Security teams shouldn’t have to fight their tools to get the information they need,” said Nick Merritt, VP of Security at Halo Security. “These customization features let our customers organize their data the way they think about it and take control of how they interact with the security data we collect.”

**Availability**

The new customization features are immediately available to all Halo Security customers at no additional cost. Organizations using the platform can access custom dashboard creation through their existing accounts, with shared configurations automatically synchronized across team members.

New users interested in trying the Halo Security platform can sign up for a 7-day free trial at halosecurity.com.

**About Halo Security**

**Halo Security** is a comprehensive external attack surface management platform that provides asset discovery, risk assessment, and penetration testing in a single, easy-to-use dashboard. Founded by cybersecurity experts with backgrounds at McAfee, Intel, Kenna Security, OneLogin, and WhiteHat Security, Halo Security delivers a unique attacker-based approach to help organizations safeguard against potential threats. 

Users can learn more at **halosecurity.com**.

**Contact**

**VP of Marketing**  
**Nick Hemenway**  
**Halo Security**  
**\[email protected\]**

Halo Security Enhances Platform with Custom Dashboards and Reports

### Impact

Protected content elements that are rendered as fragments are indexed and become publicly available in the front end search.

### Patches

Update to Contao 4.13.56, 5.3.38 or 5.6.1.

### Workarounds

Disable the front end search.

### For more information

If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   GitHub Spark New
        
        Build and deploy intelligent apps
        
    *   GitHub Models New
        
        Manage and compare prompts
        
    *   GitHub Advanced Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-57756

**Contao discloses sensitive information in the front end search index**

Moderate severity GitHub Reviewed Published Aug 28, 2025 in contao/contao • Updated Aug 28, 2025

**Package**

composer contao/contao (Composer)

**Affected versions**

\>= 4.9.14, < 4.13.56

\>= 5.0.0-RC1, < 5.3.38

\>= 5.4.0-RC1, < 5.6.1

**Patched versions**

4.13.56

5.3.38

5.6.1

\>= 4.9.14, < 4.13.56

\>= 5.0.0-RC1, < 5.3.38

\>= 5.4.0-RC1, < 5.6.1

**Description**

Published to the GitHub Advisory Database

Aug 28, 2025

Last updated

Aug 28, 2025

**EPSS score**

GHSA-2xmj-8wmq-7475: Contao discloses sensitive information in the front end search index

Microsoft is rolling out a feature that defaults to saving your documents to the cloud. Consumers are divided.

Microsoft has revealed it plans to automatically save all Word document to the cloud. The feature is currently only available to Microsoft 365 Insiders, although it’s likely to expand this to all users in the future.

Microsoft proudly announced:

> “We are modernizing the way files are created and stored in Word for Windows! Now you don’t have to worry about saving your documents: Anything new you create will be saved automatically to OneDrive or your preferred cloud destination.”

The options this feature provides already existed, but Microsoft is changing the default save location for Word documents on Windows.

And Word is just the start:

> “Similar functionality is coming to Excel for Windows and PowerPoint for Windows later this year.”

For those of us that have lost hours of work because we forgot to press Save while we were still writing, this could be a blessing at times. But we can already enable AutoSave and choose OneDrive as an option. So what’s new?

The key change with the new plan is that Word now saves all new documents automatically to the cloud by default, before you even assign a file name. This removes the step where users had to manually initiate the process—the first save, so to speak. Whether you saved the first file locally or in the cloud, until now AutoSave used to activate only after your manual save to OneDrive. Now, Word creates every new document directly in the cloud and turns on AutoSave immediately from the start.

And the advantages are clear. No more forgetting to save, and you can share the document with someone else for collaboration purposes. It also means you can work on the document from any computer, as long as you can login with your Microsoft credentials.

But that last advantage could also be a pitfall. Anyone with your credentials can access all the documents you saved to OneDrive. And even though I realize this may sound alarmist, I have to point out that breaches happen, credentials get stolen, and more documents will be found when this is the default setting.

Users are afraid that with AI integration (Copilot) and saving documents to the cloud, their work will be used to train artificial intelligence (AI) or that this is a Microsoft scheme to sell more cloud storage.

But most of the disgruntled users are saying that big tech’s habit to turn things on by default is annoying, to put it mildly.

**Some pointers**

So, what if you don’t want all your documents saved in the cloud? Or you want to change any of the other default settings that come with this feature?

Other things to remember:

*   You still can’t close a document before saving if you ever need it again. If you close the document before saving, a dialog will appear asking you whether you want to **Discard** or **Keep** it. When you close an empty document, the system discards it without asking for confirmation.
*   If you start a new Word session while another session is running, Word does not automatically save the new file due to a known issue.
*   If you disable the **Show the Start screen when this application starts** setting, Word won’t automatically save the first file you create after launching it.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Microsoft wants to automatically save your Word docs to the cloud 

A coalition of international cybersecurity agencies led by the UK’s National Cyber Security Centre (NCSC) has publicly linked…

A coalition of international cybersecurity agencies led by the UK’s National Cyber Security Centre (NCSC) has publicly linked three China-based technology companies to a long-running global cyberattack campaign.

In a new advisory, the NCSC and partners from twelve other countries, the United States, Australia, Canada, New Zealand, the Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland and Spain shared technical details about a campaign that has targeted critical networks since at least 2021.

The attacks have impacted several high-profile organisations around the world in sectors like government, telecommunications, transportation, and military infrastructure. The data stolen could ultimately provide Chinese intelligence services with the ability to track communications and movements on a global scale.

****An Unrestrained Campaign****

According to the advisory (PDF), the three China-based companies, “Sichuan Juxinhe Network Technology Co Ltd,” “Beijing Huanyu Tianqiong Information Technology Co,” and “Sichuan Zhixin Ruijie Network Technology Co Ltd,” provide cyber-related services to China’s intelligence agencies.

NCSC chief executive Dr. Richard Horne expressed deep concern, stating that this activity is an “unrestrained campaign of malicious cyber activities on a global scale.” The campaign partially overlaps with a group commonly known as Salt Typhoon. Other groups linked to this campaign include the following:

*   RedMike
*   UNC5807
*   GhostEmperor
*   OPERATOR PANDA

A key finding, as per the US National Security Agency’s press release, is that the attackers have been successful not by using new or complex hacking tools, but by taking advantage of old, well-known vulnerabilities that organisations should have already fixed with security updates.

The campaign successfully exploited flaws in devices from major companies like Ivanti (CVE-2024-21887), Palo Alto Networks (CVE-2024-3400), and Cisco (CVE-2023-20273, CVE-2023-20198, and CVE-2018-0171).

This means that many of these attacks could have been easily avoided. Instead of developing new methods, the hackers simply exploit weaknesses that have been left unpatched.

****What Organisations Can Do****

Given the seriousness of the threat, the agencies are strongly urging organisations to take immediate action. They are advised to proactively look for malicious activity on their networks.

The advisory also provides a specific warning, including that organisations should gain a full understanding of the attackers’ presence before trying to remove them to ensure they can achieve a complete “eviction” from the network.

The advisory also points out the importance of guaranteeing that internet-facing devices are properly secured and that all available security updates are applied. As Dr. Horne emphasised, network defenders must remain vigilant and continuously review their systems for any signs of unusual activity.

****Expert Analysis****

John Hultquist, the Chief Analyst at Google’s Threat Intelligence Group, provided a statement exclusively to Hackread.com, offering further insight into the threat. He noted that the hacking group has a “unique advantage” in evading detection because of its deep expertise in telecommunications systems.

According to Hultquist, Chinese cyber espionage is powered by an “ecosystem of contractors, academics, and other facilitators” who are used to create tools and carry out the attacks. He explained that this model has allowed their operations to grow to an “unprecedented scale.”

Hultquist also highlighted that the reported targeting of hospitality and transportation sectors suggests a goal beyond corporate espionage: gathering information to “closely surveil individuals” and build a complete picture of who they are communicating with, their location, and where they travel.

UK and US Blame Three Chinese Tech Firms for Global Cyberattacks

Anthropic—maker of AI coding chatbot Claude—says cybercriminals have abused Claude to automate and orchestrate sophisticated attacks.

Anthropic—the company behind the widely renowned coding chatbot, Claude—says it uncovered a large-scale extortion operation in which cybercriminals abused Claude to automate and orchestrate sophisticated attacks.

The company issued a Threat Intelligence report in which it describes several instances of Claude abuse. In the report it states that:

> “Cyber threat actors leverage AI—using coding agents to actively execute operations on victim networks, known as vibe hacking.”

This means that cybercriminals found ways to exploit vibe coding by using AI to design and launch attacks. Vibe coding is a way of creating software using AI, where someone simply describes what they want an app or program to do in plain language, and the AI writes the actual code to make it happen.

The process is much less technical than traditional programming, making it easy and fast to build applications, even for those who aren’t expert coders. For cybercriminals this lowers the bar for the technical knowledge needed to launch attacks, and helps the criminals to do it faster and at a larger scale.

Anthropic provides several examples of Claude’s abuse by cybercriminals. One of them was a large-scale operation which potentially affected at least 17 distinct organizations in just the last month across government, healthcare, emergency services, and religious institutions.

The people behind these attacks integrated the use of open source intelligence tools with an “unprecedented integration of artificial intelligence throughout their attack lifecycle.”

This systematic approach resulted in the compromise of personal records, including healthcare data, financial information, government credentials, and other sensitive information.

The primary goal of the cybercriminals is the extortion of the compromised organizations. The attacker created ransom notes to compromised systems demanding payments ranging from $75,000 to $500,000 in Bitcoin. But if the targets refuse to pay, the stolen personal records are bound to be published or sold to other cybercriminals.

Other campaigns stopped by Anthropic involved North Korean IT worker schemes, Ransomware-as-a-Service operations, credit card fraud, information stealer log analysis, a romance scam bot, and a Russian-speaking developer using Claude to create malware with advanced evasion capabilities.

But the case in which Anthropic found cybercriminals attack at least 17 organizations represents an entirely new phenomenon where the attacker used AI throughout the entire operation. From gaining access to the target’s systems to writing the ransomware notes—for every step Claude was used to automate this cybercrime spree.

Anthropic deploys a Threat Intelligence team to investigate real world abuse of their AI agents and works with other teams to find and improve defenses against this type of abuse. They also share key findings of the indicators with partners to help prevent similar abuse across the ecosystem.

Anthropic did not name any of the 17 organizations, but it stands to reason we’ll learn who they are sooner or later. One by one, when they report data breaches, or as a whole if the cybercriminals decide to publish a list.

Data breaches of organizations that we’ve given our data to happen all the time, and that stolen information is often published online. Malwarebytes has a free tool for you to check how much of your personal data has been exposed—just submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scanner and we’ll give you a report and recommendations.

Tag

#intel