Cybersecurity Today: Supply Chain Attacks, St. Paul's Cyber Emergency, and Ingram Micro's Data Breach

Podcast Information:

Title: Cybersecurity Today
Host: Jim Love
Description: Updates on the latest cybersecurity threats to businesses, data breach disclosures, and how you can secure your firm in an increasingly risky time.
Episode: Cybersecurity Today: Supply Chain Attacks, St. Paul's Cyber Emergency, and Ingram Micro's Data Breach
Release Date: August 1, 2025

Introduction

In the latest episode of Cybersecurity Today, host Jim Love delves into the escalating threats within the cybersecurity landscape. From sophisticated supply chain attacks to municipal cyber emergencies and large-scale data breaches, Love provides listeners with a comprehensive overview of recent incidents and the evolving strategies to combat these threats.

Sophisticated Supply Chain Attacks

Timestamp: [00:01]

Jim Love begins the episode by highlighting the increasing sophistication of supply chain attacks. He references a report from the YouTube channel Javabrains, recounting a significant incident involving a malicious extension in the Cursor IDE, an AI-based code editor widely used by developers and high-profile tech companies like OpenAI and Shopify.

Key Points:

Victim Details: A highly skilled blockchain developer had $500,000 in cryptocurrency stolen.
Attack Vector: Installation of a malicious Solidity language extension from Cursor’s extension marketplace.
Technical Breakdown: The extension included a JavaScript file that executed a PowerShell script upon IDE startup, installing remote access software configured for attacker control. This led to the exfiltration of wallet credentials and crypto assets.
Registry Vulnerabilities: The attack exploited OpenVSX, a reputable open extension registry governed by the Eclipse Foundation, highlighting that even well-established communities can harbor vulnerabilities.

Notable Quote:

“Even well-established communities may not be safe for high-value or commercial implementations. They might be too big a risk.” – Jim Love ([10:45])

Recommendations:

Scrutinize publisher details and avoid relying solely on extension rankings.
Understand the ranking algorithms that may be manipulated to favor malicious extensions.
Implement rigorous compartmentalization and secure storage practices for sensitive assets.

The Oyster Backdoor: A Stealthy Threat

Timestamp: [15:30]

Love transitions to another alarming supply chain issue reported by GBHackers, detailing the emergence of a stealthy backdoor named Oyster. This malware infiltrates systems through Trojanized versions of widely-used tools like Putty and Keepass.

Key Points:

Attack Method: Distribution via deceptive search engine entries and ads masquerading as legitimate installers.
Functionality: Once installed, Oyster establishes a hidden connection to a command server, enabling remote command execution, file exfiltration, and module downloads.
Evasion Techniques: Uses signed binaries, encrypted payloads, and DLL sideloading to bypass detection.

Notable Quote:

“We have to regard downloading tools and extensions with zero trust approaches. Unless we can prove they're safe, they shouldn't be trusted.” – Jim Love ([22:10])

Implications:

Exploits user trust in established tools and repositories.
Highlights the necessity for zero-trust approaches in software procurement and installation.

St. Paul’s Cyber Emergency: National Guard Deployed

Timestamp: [30:00]

A significant cyber incident in St. Paul, Minnesota underscores the vulnerability of municipal systems. The city faced a crippling cyberattack that impacted essential services, necessitating the deployment of the Minnesota National Guard's 177th Cyber Protection Team.

Key Points:

Affected Systems: Payroll, licensing, and remote work access among other municipal functions.
Attack Characteristics: Deep and widespread intrusion with potential long-term undetected access spanning months.
Response: National Guard assistance to contain and assess the damage, collaborating with federal agencies.

Notable Quote:

“Many municipalities have increasingly limited IT resources to defend themselves, making them prime targets for ransomware and other cybercrimes.” – Jim Love ([35:50])

Broader Context:

Reflects a trend of rising cyberattacks targeting local governments.
Emphasizes the critical need for robust cybersecurity infrastructures in public sectors.

CISA’s Eviction Strategies Tool: A New Defense Mechanism

Timestamp: [40:15]

In response to persistent cyber threats, the Cybersecurity and Infrastructure Security Agency (CISA) has introduced the Eviction Strategies tool. This free, interactive tool is designed to help cybersecurity teams systematically remove persistent threats from their networks.

Key Features:

Customized Strategies: Guides responders through questions about the attacker’s access level, lateral movement, and persistence methods to develop tailored eviction plans.
Emphasis on Timing: Highlights the importance of coordinated actions to prevent attackers from retaliating or re-entering the network.
Comprehensive Support: Part of a suite of resources including the Decider and Incident Response playbook.

Notable Quote:

“Timing is everything. If you clean up one compromised account while leaving another active, the attackers may notice and retaliate or simply re-enter.” – Jim Love ([45:00])

Benefits:

Enhances the capabilities of both experienced defenders and under-resourced teams.
Encourages a proactive and structured approach to threat removal.

Ingram Micro’s Data Breach: A Recurrent Threat

Timestamp: [50:30]

Wrapping up the episode, Love revisits the ongoing issue concerning Ingram Micro, one of the world's largest technology distributors. The SafePay ransomware group has claimed responsibility for exfiltrating 35 terabytes of data, threatening to leak sensitive information.

Key Points:

Nature of the Breach: Unlike traditional ransomware attacks, SafePay focused on data exfiltration without encrypting systems, facilitating quicker recovery for Ingram Micro.
Data Compromised: Includes internal emails, financial records, HR files, custom data, and proprietary tools.
Attackers’ Tactics: SafePay has reportedly sold some of the stolen data and listing Ingram Micro among other companies that did not pay the ransom.

Implications for Defenders:

Reinforces that ransomware threats extend beyond encryption to include significant data breaches.
Necessitates investments in outbound traffic monitoring, anomaly detection, and stringent access controls.

Notable Quote:

“It's a serious threat. Ingram Micro is a well-known and reputable brand, and a breach of this scale could have major downstream implications.” – Jim Love ([55:20])

Advice for Affected Parties:

Stay vigilant if you're a partner or customer of the compromised entity.
Implement comprehensive security measures that go beyond traditional backup strategies.

Conclusion

In this episode of Cybersecurity Today, Jim Love provides a sobering look into the current state of cybersecurity threats. From intricate supply chain attacks exploiting trusted platforms to large-scale breaches impacting major corporations and municipalities, the landscape is fraught with challenges. Tools like CISA’s Eviction Strategies offer hope, but the onus remains on organizations to adopt vigilant, zero-trust approaches and continuously evolve their defense mechanisms to safeguard against increasingly sophisticated adversaries.

For More Information: Visit technewsday.com for show notes and additional resources. Engage with the community by sharing your opinions or advice on the latest wave of supply chain attacks through the Contact Us form or by leaving comments on the YouTube video.

Transcript

Jim Love (0:01)

Supply chain attacks continue with increasing sophistication. CISA releases a new eviction strategies tool. The city of St. Paul has to call in the National Guard to deal with a cyber emergency. And Ingram Micro is back in the news as SafePay ransomware group threatens to leak 35 terabytes of customer data. This is Cybersecurity Today. I'm your host Jim Love. This story came to me via a YouTube channel called Javabrains because I don't believe everything I see on YouTube. Big surprise. I did a back check and validated the story. Here's how it goes. In June or July of 2025, a person described as a highly skilled blockchain developer had $500,000 in cryptocurrency stolen after he installed a malicious Solidity language extension in the Cursor IDE, an AI based code editor and a VS code fork. Cursor AI has over 1 million users, including approximately 360,000 paying customers. It's widely adopted by developers and has high profile tech companies like OpenAI, Shopify and Perplexity working with it. Cursor's rapid growth has made it one of the most popular AI powered coding tools, one of the leading IDEs in 2025, especially for developers seeking integrated AI support. Likewise, the community that he used to Download the extension, OpenVSX is a reputable, well established registry for VS coder extensions hosted and governed by the Eclipse Foundation, a respected not for profit open source organization. It has links to major companies like Google, Salesforce, Siemens and Huawei. They all participate in its governance and development. OpenVSX is used by at least 8 million developers, so the developer, reportedly using a clean system and careful practices, installed what appeared to be a legitimate extension, Solidity from Cursor's built in extension marketplace and Solidity is a popular extension. It's well known and it provides language support for writing, editing and managing Solidity code, which is the main programming language for creating smart contracts on Ethereum and EVM compatible blockchains. So the Solidity extension he downloaded had 54,000 downloads, looked professional, had the name of the original developer, and was top of the list on recommended extensions. What could possibly go wrong? A lot apparently, and that's what this developer found when he saw $500,000 had disappeared from a crypto wallet he controlled what happened. The Extension planted a JavaScript file extension JS, so every time the IDE started, it would download and execute a PowerShell script from a remote server. This script installed legitimate remote access software, Screen Connect, but configured that for attacker control, allowing full remote takeover. Attackers use this access to upload additional malware like Quasar Rat and purelog Stealer, and systematically exfiltrated wallet credentials, passwords, and ultimately the developer's crypto assets. And how did this happen? OpenVSX, a community run open extension registry, is popular, but apparently has looser controls than Microsoft's proprietary store, which apparently makes it possible for attackers to upload fake, malicious or cloned extensions. The extension looked exactly like the real Solidity extension and it used a nearly identical publisher name, only with a capital I for a lowercase l. And then it manipulated the ranking and download statuses to appear legitimate. It turns out that even well established communities have may not be safe for high value or commercial implementations. They might be too big a risk, although in fairness I'm taking part of this on faith. Microsoft's proprietary products are reportedly more secure, but even Microsoft is not immune to vulnerabilities, so take that with a grain of salt, but it is something we need to think about. And in fairness, the OpenVSX community did take action. The malicious extension was removed, although reportedly the attackers re uploaded a new variant the next day. So despite the quick response, hundreds or thousands of developers may have been impacted. The developer followed most traditional recommendations. Beware of new non functional extensions and uninstall anything suspicious immediately scrutinize publisher details. Avoid early adoption. But to that I think you have to add another point. If you are relying on high rankings as evidence of authenticity, you have to understand the ranking algorithm. In this case, OpenVSX's algorithm increases the ranking of extensions that have been recently updated. The malicious extension was updated just days before the victim searched, while the legitimate extension hadn't been updated in weeks. This freshness boost pushed the fake extension above the authentic one in search results, even though it had marginally fewer downloads. Some have pointed out that the developer may have failed in maintaining rigorous compartmentalization for sensitive work, and some have commented on the wisdom of leaving half a million dollars in a hot wallet instead of in cold storage, which is more secure. You can make up your own mind on that. Many in the open source community are getting beyond blame and are looking for solutions to these incredibly sophisticated supply chain attacks. We've covered one solution earlier this year and hopefully we'll get some ideas in our weekend show, but if you have other suggestions or ideas on this, let us know. On a similar Note, the blog GBHackers is reporting another supply chain issue this week. A stealthy backdoor called Oyster is spreading through Trojanized versions of common tools like Putty and Keepass, and it's targeting unsuspecting Windows users. In this case, the attackers use tricks like search engine entries and even ads, which feature installers for these popular tools. So when people are downloading these ads or paid links, attackers are disguising Oyster as legitimate installers for apps like Firefox, seven, Zip, and even, apparently, Microsoft Edge. Once installed, Oyster creates a hidden connection back to a command server. It can execute remote commands, exfiltrate files, and download additional modules to expand its capabilities. It uses signed binaries, encrypted payloads, and DLL sideloading to avoid detection. This type of campaign is especially dangerous because it abuses trust. Most users assume apps like Putty and Keepass are safe, especially if they've used them before and the sites they load them from are well done, look authentic, and many have even captured expired certificates to further bolster their authenticity. It's another key reminder that we have to be extremely cautious about tools that are downloaded from approved or even reliable sources. But until we get a better solution, we have to regard downloading tools and extensions with zero trust approaches. Unless we can prove they're safe, they shouldn't be trusted. A cyber attack has crippled the city of St. Paul, Minnesota, prompting officials to call in the National Guard for digital support. The breach affected multiple municipal systems, including those responsible for payroll, licensing and other things like remote work access. The city confirmed that the hackers gained access to internal IT infrastructure, with investigators describing the intrusion as deep and widespread. Officials say they don't yet know the full scope or whether any personal data was compromised. The Minnesota National Guard's 177th Cyber Protection Team has been deployed to help contain and assess the damage. The team specializes in helping state and local agencies recover from cyberattacks, often working alongside federal agencies. City officials have not yet said who is behind the breach or what methods were used, but one source told Ars Technica that the attack may have been ongoing for months before detection. But St. Paul is only the most recent of a growing list of municipalities that have been hit by ransomware and other forms of cybercrime, and municipalities that often have increasingly limited IT resources to defend themselves. And in other news, cisa, the US Cybersecurity and infrastructure security agency, has released a new tool designed to help defenders kick attackers out for good. The Eviction Strategies tool is aimed at helping cybersecurity teams remove persistent threats from their networks. It walks responders through steps needed to fully evict an attacker, even if they've dug in with stolen credentials or backdoor access better than anything it's free to use. CISA developed a tool based on years of incident response experience and and one of the key lessons Timing is everything. If you clean up one compromised account while leaving another active, the attackers may notice and retaliate, or simply re enter. The tool is interactive. It guides users through questions like what kind of access the attacker has, whether they've moved laterally, what persistence methods they're using, and based on your answers, it builds a customized eviction strategy. It also emphasizes coordinated action, taking down all compromised access at once to avoid tipping off the threat actor. The tool is part of a growing set of practical resources from cisa, including their Decider and Incident Response playbook. Even experienced defenders can benefit, but for under resourced teams this could be a great asset. And for those with a lot of experience in this area, CISA is actively soliciting comments. You can find a link in the show Notes and finally, an update on a past story it Giant Ingram Micro is back in the news. SafePay ransomware gang claims to have stolen 35 terabytes of data and is threatening to leak. Turns out that SafePay may not have encrypted any systems, just exfiltrated data, which might explain how Ingram Micro was able to recover so quickly. They provided journalists with samples showing internal emails, financial records, HR files, custom data and proprietary tools. They also claimed to have already sold some of the data. This is a serious threat. Ingram Micro is one of the world's largest technology distributors, with ties to thousands of resellers, service providers and vendors. A breach of this scale could have major downstream implications. Ingram appears on the group's leak site, so we can assume that they didn't pay the ransom. Along with, we note, many other companies that are on that site, which supposedly features only companies who did not pay. The use of extortion without encryption is part of a growing trend. It's a reminder that stopping ransomware isn't only about backups. If attackers can quietly steal data, they can still hold a company hostage. For defenders, this means investing in outbound traffic monitoring, anomaly detection, and tighter controls on access to sensitive files. And if you're a partner or customer of Ingram Micro, it's worth staying alert. Ingram is a well known and reputable brand and we hope they'll be responding to this shortly. And that's our show. You can find show notes@technewsday.com or CA and you can use the Contact Us form there. If you want to share opinions or advice on this wave of supply chain attacks. And of course, if you're watching this on YouTube, leave a comment under the video. I'm your host, Jim Love. Thanks for listening.