A

From the CISO series. It's Cybersecurity Headlines.

B

These are the cybersecurity headlines for Tuesday, September 9, 2025. I'm Rich Stroffelino Ghost Action Campaign targets GitHub On September 2, GitGuardian discovered that the account for a GitHub project they use internally, FastUUID, was compromised. That compromised account enumerated secrets from workflow files, then hardcoded secret names into the workflows. Looking into that particular compromise, the company found indicators of compromise indicating a larger campaign dubbed Ghost action, impacting 327 GitHub users and 817 repositories. This campaign leaked over 3,300 secrets, including AWS instances, Docker Hub tokens and npm tokens. GitGuardian notified GitHub, PyPi and npm security teams about the campaign, with many already reverting repositories. Scam Centers see Huge Growth in Myanmar the Guardian reports that according to new research and drone footage, the number of industrial scale scam call centers on the Thai Myanmar border has more than doubled since the Myanmar military coup in 2021.

C

With construction of new facilities underway at an estimated rate of 55 hectares a month. These facilities are run by criminal organizations which, with Thai police estimating at least 100,000 trafficked people in these border facilities lured in with the promise of jobs. These elaborate facilities are heavily fortified and contain luxury housing for management as well as serving as social proof for investment scams. Spies impersonate US lawmaker to target trade.

B

Groups the Wall Street Journal sources say.

C

A campaign tracked to The Chinese backed APT41 orchestrated a campaign in July posing as U.S. representative John Moliner CH, chairman of the House Committee on the Chinese Communist Party. These emails were sent from a non governmental address to trade groups, government agencies and law firms with an attachment that.

B

Appeared to be draft legislation and a request for input.

C

An investigation by Google's Mandiant found that clicking on the attachments would attempt to install a backdoor. At the time the emails were sent, the US was set to begin trade talks with China in Sweden.

B

Gpugate targets IT firms Researchers at Arctic.

C

Wolf detailed a new campaign with a new take on malicious advertising dubbed gpugate. This campaign uses paid ads on Google and other search engines, which embed a GitHub commit in the page URL. This contains an altered link that points to the threat actor's infrastructure. This initially points to a 128 megabyte Microsoft software installer, while a GPU gated decryption routine keeps its payload encrypted on systems with without a gpu. This would stymie analysis of the malware on a virtual machine or other sandbox that doesn't typically have GPU resources. The payloads indicate the operators speak Russian and the campaign exclusively targets IT and software development companies in Western Europe.

B

And now, thanks to today's episode sponsor Vanta, do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but but when it comes to our GRC programs, we rely on point in time checks. But more than 9,000 companies have continuous visibility into their controls with Vanta. Vanta brings automation to evidence collection across over 35 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI.

C

Now that's a new way to GRC.

B

Get started at vanta.com headlines iCloud calendar used to send phishing emails B computer received word of this scam from a reader who received a message from noreplymail.apple.com advising that their PayPal account was billed and providing a support number to dispute the transaction. Calling the number would lead to scammers attempting to install some hackers helpful software so the customer could log into their PayPal account to initiate a refund aka rip them off. The attackers sent this Message as an iCloud Calendar event to a Microsoft 365 email address. That address was itself a mailing list for a full list of potential victims. While the phishing lure is an extremely tried and true approach, the way it was delivered successfully passed spf, DMARC and DKIM email security checks. Wealthsimple Confirms data breach the Canadian fintech firm said the breach exposed sensitive information on less than 1% of its clients. 30,000 customers had government IDs, social insurance numbers and account numbers exposed. The incident was caused by a compromised third party software provider and was detected on August 30th. All impacted customers were notified as of September 5th. Wealthsimple will offer the industry standard two years of credit and dark web monitoring and and encourage all of its customers to enable 2fa. PACER struggles with MFA rollout PACER is the US government run system used by US courts to access court documents. It's a critical backbone to our legal system. Back in April, PACER announced MFA would become mandatory on accounts that file documents or manage cases, and sent out a notice in August reminding users to enroll by the end of the year, according to reporting by the Register. Some attorneys trying to enroll are seeing long website freezes when logging on and support lines are hammered, leading to multi hour wait times. As a result, Pacer lifted its end of year deadline and said it's switching to a phased MFA rollout. Users should not enroll until prompted by the system. Signal lets you back that chat up the popular encrypted messaging app announced that a beta version of Chat Backups is coming to Android as both a free and paid offering. Users can back up 100 megabytes of chats and the last 45 days of media for free, while 100 GB of media backups will also be available as a paid feature for $1.99 a month. Users receive a 64 character recovery key for chat backups that's generated on device. Signal does not link backups to a user or payment method. Cross platform availability is in the works. This marks Signal's first paid feature. Until now, it only accepted donations Everyone talks about the need for prevention in cybersecurity, but the dirty secret is it's rarely practiced because it introduces productivity friction. Will prevention always be cybersecurity lip service? Or is there a way to achieve meaningful prevention without interrupting the business? That's one of the segments we have on our latest episode of the CISO Series podcast. Look for the episode we all agree that prevention is the best advice we're never going to follow. Wherever you get your podcasts and if you have some thoughts about the news from today or about the show in general, be sure to reach out to us@feedbackisoseries.com we read everything that you send us and we love to hear from you. Reporting for the CISO series, I'm Rich Stroffelino, reminding you to have a super sparkly day.

A

Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.