A (0:01)

Compromise of the NX Build system infects 1000 developers Popular enterprise Web content management systems let attackers remotely execute code Amazon disrupts a sophisticated Multi Factor Authentication device code campaign Salesforce Data theft attacks gets Worse this is Cybersecurity today, and I'm your host David Shipley. Let's dig into the latest. More than a thousand developers woke up last week to find their GitHub accounts compromised and secrets dumped into new public repositories. It started with a hijacking of the popular NX build system. Attackers acquired an NPM publishing token and over the course of a few hours published malicious versions of the NX package and several plugins. Anyone who installed or updated during that window was infected with a script called Telemetry JS that leveraged AI command line tools, Claude Code Gemini, and Amazon Q to scour local machines for high value secrets. Within hours, it harvested GitHub and NPM tokens, SSH keys, application secrets, and even cryptocurrency wallets from more than 1,000 developers and created public GitHub repositories like quote, Singularity, Dash Repository, end quote in the victim's own accounts, leaking about 20,000 files. Now to make it worse, to slow anyone trying to respond to the malware, it also booby trapped shell startup files so that every time a terminal launched, it crashed. NPM removed the malicious packages and GitHub disabled the rogue repositories, but roughly 90% of the stolen tokens remained active. This wasn't an isolated AI fueled disaster this summer. In July, researchers warned that large language models hallucinate package names with alarming frequency. In tests covering 1.15 million prompts, commercial models invented non existent packages 5.2% of the time, and open source models did so a staggering 21.7% of the time. Across all of the different tests, 205,474 hallucinated package names were generated, and attackers have begun registering these fake names in a tactic called slop squatting. If a developer blindly installs an AI suggested package, they unknowingly pull in malware. Less than a week after that warning, a malicious pull request against the Amazon Q developer extension for Visual Studio code inserted a script that downloaded an extra file and passed a prompt to the Amazon Q AI assistant instructing it to wipe the user's home directory and delete AWS resources. This rogue extension lived in Microsoft's marketplace for two days before AWS revoked credentials and released fixed version. The attacker later said this dangerous stunt was meant to expose lax security reviews. Taken altogether, these stories highlight a troubling pattern. AI driven development introduces new avenues for compromise and new economies of scale and attack speeds for criminals. Prompt injected assistants can be tricked into running destructive commands, hallucinated package names can lure developers into installing malware, and compromised build tools can harvest secrets at scale. AI is not going away, but repeating all of the sins of our past approaches to modern technology. Security is yielding the same awful results, but at greater speed. Chaos and Harm Organizations looking to get the best of AI must implement robust security by design in their development practices, closely looking at tools, dependencies and processes to prevent as much harm as possible and to react at AI speed when things go wrong. If organizations are unable or unwilling to do that work, they shouldn't implement AI powered tools into their development shops. Researchers at Watchtower Labs disclosed three vulnerabilities in the popular sitecore Experience platform that, when combined, can give an attacker remote code execution. CVE202553693 allows for cache poisoning, CVE202553691 is an insecure deserialization flaw, and CVE2025,53,694 exposes cache key via the Item Service API. Patches for the first two flaws were released in June and and for the third in July. By enumerating cache keys through the Item Service API, poisoning those keys, and then exploiting the deserialization bug, an unauthenticated attacker can trick sitecore into executing arbitrary code. If your organization runs sitecore and this web content management system is used by global brands in key sectors around the planet, apply these patches immediately. Restrict access to the Item Service API and for goodness sake, do not leave default credentials in place. Now, as we move from software supply chains to nation state threats, note how attackers are adapting to target authentication flows. Amazon's threat intelligence team says it disrupted a watering hole operation attributed to Russia's APT 29. For those tracking, they're also known as Midnight Blizzard or or Cozy Bear. The group compromised legitimate websites, injected JavaScript that redirected about 10% of visitors to domains like findcloudflare.com and mimicked Cloudflare verification pages. Victims were prompted to enter device code on a Microsoft login page. Doing so would be captured and would authorize attacker controlled devices to access Microsoft 365 accounts, Amazon notes the attackers encoded their scripts, used cookies to avoid repeated redirects, and shifted to new infrastructure when domains were caught and blocked. The campaign shows how nation state actors are adapting to multi factor authentication flows. Security awareness still matters it matters a lot and anyone telling you that technology silver bullets solve the entire problem, they're not doing you a favor. So In Depth still counts on people. Continue to educate your team to be suspicious of unsolicited device code prompts and double check domain names before entering any authentication codes. Google's Threat Intelligence Group has expanded its warning about the data theft campaign abusing Salesforce Drift AI chat agent as part of larger salesforce.com compromises. Initially, stolen OAuth tokens were used to access Salesforce customer instances, exfiltrating data such as AWS keys, passwords and snowflake tokens from at least 700 organizations. But a recent update reveals that some of those tokens were also used to access Google's workspace. Google has revoked all workspace tokens associated with Drift, disabled the integration and notified affected account holders. It now urges all Salesloft Drift customers to assume any tokens connected to that platforms are compromised. Review every integration with the platform and rotate credentials as needed. Salesloft has retained Mandiant to investigate and Salesforce went even further, announcing last week it has disabled Drift integrations across Salesforce, Cloud, Slack and Pardo. This incident is part of a wider wave of Salesforce data theft headache attacks attributed to clusters like Shiny Hunters and UNC6395. Credit reporting giant TransUnion was the latest victim. It reported more than 4.4 million US customers had personal data stolen from their Salesforce account. That data included names, billing addresses, phone numbers, email addresses, dates of birth and even unredacted Social Security numbers for millions of Americans may now be in the hands of criminals. Leaping computer reports, the attackers claim to have taken more than 13 million records in total. And the TransUnion breach is linked to the same Salesforce data theft campaigns targeting high profile organizations such as Google Farmers, Insurance, Alliance, Life, Workday, Pandora, Cisco, Chanel and Qantas. These attacks demonstrate how a single compromised integration can cascade into mass data exposure across many organizations. If your company integrates between Salesloft, Salesforce or other SaaS platforms, make sure you're checking into it. Assume attackers are already probing your environment, and take steps to protect yourself. SalesLoft's website promotes its agentic AI offerings. If those offerings were at the root of this cascading breach nightmare, it may mark one of the earliest and most significant security failures associated with this bleeding edge AI technology. And unfortunately for everyday folks, they're often the ones getting cut with data breaches when companies live at the bleeding edge. Those are our Updates for Tuesday, September 2nd, if you missed last weekend's August month in review, you should go back and give it a listen. Laura Payne and Tammy Harper are awesome as always, and Jim and I do our best to keep up as always. Stay skeptical, stay patched, and may the Force be with you. If you have Salesforce and you were using that drift AI and you didn't bother to rotate those tokens, please help us spread the word. Like subscribe, consider leaving a review, and if you enjoy the show, please tell others. We'd love to grow our audience and we need your help. I've been your host, David Shipley, coming to you from fall like Fredericton, New Brunswick.