Scrutinizing the security of messaging apps continues. - CyberWire Daily

Summary6 min read

CyberWire Daily Summary

Title: CyberWire Daily
Host: N2K Networks (Dave Bittner)
Episode: Scrutinizing the Security of Messaging Apps Continues
Release Date: May 9, 2025

1. Cybersecurity News Brief

1.1. CBP’s Messaging App Under Scrutiny
The U.S. Customs and Border Protection (CBP) confirmed its use of a messaging app from Telemessage, a service that clones popular platforms like Signal and WhatsApp with added archiving features for compliance. However, following a detected cyber incident, CBP disabled the app.

Incident Details: Telemessage, now owned by US-based Smarsh, paused all services amid investigations into multiple security breaches and flaws in its Android app's source code.
Notable Quote:
- Dave Bittner (00:02): "The CyberWire messages app used by CBP and the White House faces continued security scrutiny."

1.2. Hacktivist Breach of Global X Airlines
Hacktivists claiming ties to Anonymous breached Global X Airlines, a US Government contractor involved in deportation flights. They stole flight records, passenger lists, and itinerary data, and defaced the airline's website with a political message.

Methodology: Exploited a developer token to access AWS cloud, retrieved access keys, and infiltrated flight operations tools and GitHub repositories.
Impact: Highlighted significant security lapses; no official comments from GlobalX or US immigration officials yet.

1.3. FBI Warns on Outdated Routers
The FBI issued warnings about threat actors exploiting outdated, unsupported routers from brands like Cisco's Linksys and Ericsson's Cradlepoint.

Exploit Mechanism: Hackers use unpatched vulnerabilities and remote management software to gain shell access, install malware, and incorporate devices into botnets.
Security Advice: Replace old routers or disable remote access to prevent such exploits.

1.4. Pearson’s Cyber Attack
UK-based education giant Pearson confirmed a cyber attack where threat actors stole corporate and consumer data by exploiting an exposed GitLab personal access token in a public git config file.

Data Compromised: Terabytes from AWS, Google Cloud, Salesforce, and Snowflake; no employee data was affected.
Response: Pearson is continuing its investigation and emphasizes the importance of securing access tokens.

1.5. Exploitation of Windows Remote Management (WinRM)
Researchers at Practical Security Analytics reported increased exploitation of WinRM for stealthy lateral movements within Active Directory environments.

Attack Techniques: Utilize WinRM commands to scan systems, authenticate remotely, and execute malicious payloads disguised as legitimate processes.
Recommendations: Restrict WinRM access, monitor for anomalies, and enhance endpoint detection to prevent misuse.

1.6. Sophisticated Email Attack Campaign (RATI Trojan)
Fortinet researchers uncovered an email campaign using malicious PDF invoices to deliver the cross-platform Remote Access Trojan (RATI).

Infection Process: Deceptive emails pass SPF validation, leading victims to click buttons in PDFs that initiate multi-stage infections via Dropbox, Mediafire, and ngrok tunneling.
Capabilities of RATI: Execute commands, log keystrokes, and access webcams and files across Windows, Linux, and macOS systems.

1.7. Zero-Day Vulnerability in SAP NetWeaver
A critical zero-day in SAP NetWeaver allowed remote code execution, compromising hundreds of systems globally.

Affected Industries: Energy, government, and others.
Response: Immediate patching, thorough assessment of affected systems, and updated detection measures are urged by Anapsis and Mandiant.

1.8. Indiana Health System Data Breach
Union Health System reported a breach affecting nearly 263,000 individuals due to a January cyber attack on legacy Cerner systems during migration to Oracle's cloud.

Data Compromised: Social Security numbers, medical records, and insurance details.
Legal Ramifications: Lawsuits allege negligence; Oracle denies breaching its cloud infrastructure but acknowledges unauthorized access to outdated servers.

2. Interview with Alex Cox, Director of Information Security at LastPass

2.1. Tax-Related Cyber Lures Targeting Refunds
Alex Cox discusses the surge in cyber attacks during tax season, where attackers exploit the period's increased financial activities to target both individuals and larger entities like CPA firms and tax preparation agencies.

Key Points:
- Attackers increasingly target larger firms to access extensive data pools instead of focusing solely on individual taxpayers.
- Notable Quote:
  - Alex Cox (15:37): "Instead of a bad guy attacking an individual taxpayer, which they still do, they may also go after a CPA firm or a tax preparation agency."

2.2. AI Empowering Phishing Attacks
AI technologies, such as ChatGPT, are being leveraged by threat actors to craft more convincing phishing messages, enhancing the believability and sophistication of their attacks.

Impact: Improved language usage makes phishing attempts harder to detect using traditional technical means.
Notable Quote:
- Alex Cox (17:31): "What we see is these messages that... have gotten much, much better due to AI."

2.3. Best Practices for Security Professionals
Cox emphasizes the importance of vigilance and skepticism in verifying unexpected communications, especially those requesting sensitive information.

Recommendations:
- Cross-verify information from multiple sources before responding.
- Use password managers to create and store unique, complex passwords for different sites.
Notable Quote:
- Alex Cox (19:08): "Being very suspicious of any single point of information that you just sort of suddenly get out of nowhere."

2.4. Role of Password Managers in Enhancing Security
Password managers like LastPass play a crucial role in mitigating risks by enabling users to generate unique passwords for each site, thereby limiting the impact of potential credential leaks.

Benefits:
- Reduces the risk of credential stuffing attacks.
- Provides alerts for suspicious login attempts on unfamiliar sites.
Notable Quote:
- Alex Cox (20:26): "When you use a password manager and you're creating those individual complex passwords, if the bad guys get a hold of one of those, they just have access to one site."

3. Special Segment: Speaking from Beyond the Grave

A groundbreaking case in an Arizona courtroom featured an AI-generated avatar of a murder victim, Christopher Pelke, who was killed in a 2021 road rage incident.

Details:
- The avatar, created by Pelke's sister using AI and voice cloning, delivered a heartfelt message forgiving the shooter and suggesting they could have been friends.
- Notable Quote:
  - Narrator (22:16): "The family said their goal was to bring Chris back, to humanize him. And it worked."
Implications:
- Raises ethical and legal questions about the use of AI in judicial proceedings.
- Highlights the powerful emotional impact of AI-generated representations in real-world scenarios.

4. Upcoming Events and Closing Notes

Webinar Announcement:
- Topic: The State of Modern Web Application Security
- Date & Time: Tuesday, May 13th at 12 PM Eastern Time
- Panelists: Laura Enriquez and Michaelo Steppa from Outpost 24
- Registration: events.thecyberwire.com
Research Saturday Preview:
- Topic: Atomic and Exodus Crypto Wallets Targeted in Malicious NPM Campaign
- Guest: Lucia Valente from Reversing Labs
- Note: Encourages listeners to check out additional research for deeper insights.
Credits:
- Senior Producer: Alice Carruth
- CyberWire Producer: Liz Stokes
- Mixer: Trey Hester
- Music and Sound Design: Elliot Peltzman
- Executive Producer: Jennifer Ibin
- Publisher: Peter Kilpe
- Host: Dave Bittner

Conclusion

This episode of CyberWire Daily provided a comprehensive overview of recent cybersecurity incidents, highlighted the evolving tactics of threat actors, and offered expert insights into best practices for enhancing organizational security. The discussion with Alex Cox underscored the critical role of password managers and the growing sophistication of AI-driven attacks, while the special segment raised important ethical considerations regarding AI in legal contexts.

For detailed information on each story and to stay updated with the latest cybersecurity trends, listeners are encouraged to visit thecyberwire.com and engage with upcoming webinars and research reports.

Loading summary

Transcript15 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire Network, powered by N2K. Hey everybody, Dave here. Join me and my guests Outpost 24's Laura Enriquez and Michaelo Steppa on Tuesday, May 13th at noon Eastern time for a live discussion on the biggest threats hitting web applications today and what you can do about them. We're going to talk about why attackers still love Web apps in 2025. The latest threat trends shaping the security landscape how to spot and prioritize critical vulnerabilities fast along with scalable practical steps to strengthen your defenses Again, the webinar is Tuesday, May 13th for our live conversation on the state of modern Web application security. You can register now by visiting events.thecyberwire.com that's events.thecyberwire.Com we'll see you there. And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic Identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire, the messaging app used by CBP and the White House, faces continued security scrutiny. Hacktivists breach the airline used for US Deportation flights. The FBI warns that threat actors are exploiting outdated unsupported routers. Education giant Pearson confirms a cyber attack Researchers report exploitation of Windows remote management for stealthy lateral movement in active directory environments. A sophisticated email attack campaign uses malicious PDF invoices to deliver a cross platform rat. A zero day vulnerability in SAP Netweaver enables remote code execution and Indiana Health System reports a data breach affecting nearly 263,000 individuals. Our guest is Alex Cox, Director of information security at LastPass, discussing tax related lures, targeting refunds and AI empowers a murder victim to speak from beyond the grave. It's Friday, May 9, 2025. I'm Dave Bittner and this is your Cyberwire Intel Brief. Happy Friday and thanks for joining us here today. It is great to have you with us. The U.S. customs and Border Protection confirmed it uses at least one app from Telemessage, a service that clones popular messaging apps like signal and WhatsApp, but adds archiving features for compliance following a detected cyber incident CBP disabled the app. Telemessage, now owned by US based Smarsh, paused all services amid investigations into multiple security breaches and flaws in its Android app's source code. A recent photo showed former national Security Adviser Mike Waltz using the app, appearing to chat with officials including Vice President J.D. vance. Senator Ron Wyden has urged the DOJ to investigate, calling the software a national security risk. Despite being a federal contractor, Telemessage's consumer apps aren't approved under FedRAMP. The full scope of government use remains unclear. Hacktivists claiming ties to anonymous breached Global X Airlines, a US Government contractor used for deportation flights, stealing flight records, passenger lists and months of itinerary data. They defaced the airline's website with a political message and a Guy Fawkes mask image criticizing the company's role in deportations. The hackers contacted journalists and leaked data showing details of flights deporting hundreds of Venezuelan migrants, some mid flight while legal challenges were still pending. According to 404 Media, the hackers accessed GlobalX's AWS cloud by exploiting a developer token and retrieving access keys. They also reportedly sent messages to pilots using a flight operations tool and accessed the company's GitHub. The breach highlights several security lapses. As of now, neither GlobalX nor US immigration officials have commented. The FBI has warned that threat actors are exploiting outdated, unsupported routers, likely from brands like Cisco's Linksys and Ericsson's Cradlepoint. Using unpatched vulnerabilities and remote management software, hackers bypassed authentication to gain shell access, installed malware and turned the devices into part of a botnet. These compromised routers were then used as proxies via the AnyProxy and 5Socks networks, helping criminals hide their activities. Malware communications included a two way handshake with a command and control server. While no specific group was named, the FBI noted that Chinese cyber actors have exploited similar vulnerabilities in the past. Users are urged to replace old routers or disable remote access. This alert follows the release of OpenEOX, a proposed standard to better manage end of life disclosures for tech products. UK based education giant Pearson confirmed a cyber attack in which threat actors stole corporate and consumer data, mostly described as legacy data. The breach reportedly stemmed from an exposed GitLab personal access token in a public git config file, allowing attackers to access source code and embedded cloud credentials over months. They allegedly exfiltrated terabytes of data from aws, Google Cloud and services like Salesforce and Snowflake. Pearson says no employee data was stolen and is continuing its investigation. Researchers at Practical Security analytics report that threat actors are increasingly exploiting Windows remote management for stealthy lateral movement in active directory environments. WinRM, used for legitimate remote administration via PowerShell, becomes a powerful tool for attackers once they obtain valid credentials through phishing or brute force or credential dumping. Using WinRM commands like invoke Command, attackers scan for accessible systems on ports 5985 and 5986, authenticate remotely and execute malicious payloads under normal looking processes. Advanced techniques, including powershell cradles and reflective net loaders allow payloads to run entirely in memory, bypassing AMSI and logging. The researchers outline a typical attack chain initial access reconnaissance, credential abuse, payload deployment and privilege escalation. They recommend restricting WinRM access, monitoring anomalies and enhancing endpoint detection to catch misuse of this native Windows tool. Researchers at Fortinet have uncovered a sophisticated email attack campaign using using malicious PDF invoices to deliver a cross platform remote access trojan called rati. While primarily targeting Windows, the malware also affects Linux and macOS systems running Java. The attack starts with deceptive emails that pass SPF validation using the Servicio decorillo ES service, luring victims into clicking buttons in the PDF that launch a multi stage infection. The process uses Dropbox and mediafire to host files, ngrok tunneling and geofencing to evade detection. Victims in Italy receive a Java based JAR file while others see harmless documents fooling email scanners Once active, RADI enables attackers to execute commands, log keystrokes and access webcams and files. The campaign highlights how attackers combine social engineering and advanced evasion to bypass security and maintain persistent access. A critical zero day vulnerability in SAP netweaver has been exploited by threat actors to compromise hundreds of systems worldwide, enabling remote code execution. Anapsis and Mandiant began tracking attacks as early as January, with active exploitation confirmed before SAP issued patches on April 24. Attackers deployed web shells and executed commands to maintain access, targeting industries from energy to government. Anapsis warns that attackers possess deep SAP knowledge and urges immediate patching, compromise, assessment and updated detection measures. Union Health System in Indiana has reported a data breach affecting nearly 263,000 individuals linked to a January cyber attack on legacy Cerner systems during a migration to Oracle's cloud. The compromised data includes sensitive patient information such as Social Security numbers, medical records and insurance details. The breach, confirmed by Oracle in March, did not impact Union Health's Live systems. Lawsuits allege negligence by both Union Health and Oracle and claim a threat actor named Andrew is extorting affected hospitals. Oracle denies a breach of its cloud infrastructure but acknowledged unauthorized access to outdated servers. While Oracle will cover credit monitoring costs, it won't notify individuals directly. Union Health is offering free credit protection and is facing mounting legal pressure over its handling of the incident. Coming up after the break, my conversation with Alex Cox, Director of information security at LastPass. We're discussing tax related lures targeting refunds and AI empowers a murder victim to speak from beyond the grave. Stay with us. Traditional pen testing is resource intensive, slow and expensive, providing only a point in time snapshot of your application's security, leaving it vulnerable between development cycles. Automated scanners alone are unreliable in detecting faults within application logic and critical vulnerabilities. Outpost 24's continuous pen testing as a service solution offers year round protection with recurring manual penetration testing conducted by Crest certified pen testers, allowing you to stay ahead of threats and ensure your web applications are always secure. And now a word from our sponsor, Black Kite. If third party risk is keeping you up at night, you're not alone. It's a constant battle. Black Kite's third party cyber risk platform is built on real world threat intelligence straight from their research team's ongoing breach analysis, dark web monitoring and attacker tactics. That means you get a hacker's eye view of your supply chain to proactively spot risks. And speaking of research, they just dropped their 2025 third party breach report, breaking down last year's biggest trends and what's coming next. Grab the report now at www.blackkite.com. our guest is Alex Cox, Director of information security at LastPass, discussing tax related lures targeting refunds. So I'm glad we get to catch up here today because, you know, there's a flurry of activity and I think on people's minds as we come up to tax season, which of course here in the US is in April. But then on the other side of that, I think a lot of times people get their guard down and you and your colleagues at LastPass are saying maybe not so fast, there's still some things that need your attention.
[14:22]
Alex Cox
Yeah, yeah, absolutely. You know, so tax season is just like any other, you know, significant time of the year, be it a holiday or, you know, some deadline or what have you. And what I typically tell people is that the bad guys are, you know, entrepreneurial and opportunistic. So they will use any one of these things as, you know, lures to, to accomplish their goals. Right. They adapt to current news, they adapt to holiday cycles. So you know, what we see every year come tax as, you know, these typical, you know, tax season type attacks. The thing that's really interesting that sort of developed over the past probably five or six years is, you know, you've heard this about this move from these smaller kind of intrusion attempts to what the bad guys are doing now, which is big game hunting. Right. They're going to go for a much bigger firm to attempt to get access to a lot more data. And over the past five or six years, we've seen that in the tax tax season area too. Right. So instead of a bad guy attacking an individual taxpayer, which they still do, they may also go after a CPA firm or a tax preparation agency or you know, a big online tax company. The idea there being that I get into that firm, I've got access to a whole bunch of people rather than just those onesie 2 seats that I'm targeting, targeting individually.
[15:37]
Dave Bittner
So this time of year, what sort of things are you seeing? Is it have to do with things like refunds?
[15:45]
Alex Cox
Yeah, I mean, so if you think about if I'm a tax preparation agency or I'm an individual submitting my tax return or tax information, that's kind of like, you know, an open book to your life. Right. It's got your employer, it's got your address, it's, you know, potentially got your relatives, it's got identifying information about you. The bad guys can then take that and do you know what they want to with it? They can apply for loans, they can, you know, do you know, various fraud. We've actually seen them get fake tax returns through the irs. So they'll pretend to be you, submit their tax return, get a tax return and then, you know, off they go with your money and then the IRS comes after you and says, hey, you know, you made a mistake, give us our money back. So yeah, it's, you know, it's really interesting and kind of varied the way the bad guys act, you know, act around this time of year and I.
[16:29]
Dave Bittner
Suppose they're looking for bank account access, trying to, you pretend like they need to direct deposit things, stuff like that.
[16:38]
Alex Cox
Yeah, I mean so you know, if you think about what you can do with say somebody's Social Security number and their banking info and that sort of thing, you know, they could do everything from social engineer their way into your banking, you know, bank account. But with that sort of information, they might also be able to social engineer their way into an email account or you know, some online account. And you know, what's very common is when you get this, this base source of identity information for a person, the bad guys are good about leveraging that for multiple things. So it's kind of a, you know, here's one piece of info that's going to get me into a lot of.
[17:09]
Dave Bittner
Places, you know, we are in, I'd say it's fair to say a bit of a chaotic situation in Washington, D.C. there's a lot of uncertainty with organizations like the IRS. Are the bad guys taking advantage of that uncertainty? Some of the things like layoffs that we've seen with those kinds of agencies.
[17:32]
Alex Cox
Yeah, I mean, so anytime you see, you know, a reduction in cybersecurity capability, the bad guys typically watch the good guys and, you know, they pay attention to that sort of thing. So I would not be at all surprised to see, you know, bad guys, you know, looking after that and taking care of that, you know, taking advantage of that particular situation. The other thing that's playing a part now is, is AI and the use of AI with the bad guys. So, you know, we see a lot of bad guys doing phishing checks. You know, here I'm going to do this phishing message. Let me put it in the chat GPT and make sure it makes sense, you know, because maybe I'm not an English speake and I can make it sound like, you know, believable English by putting it through, you know, chat GPT. So what we see is these messages that, you know, people send you are still, are still very, the bad guy sends you are very believable when it comes to the way that the language is used. There are still, you know, some technical means to detect if they're, you know, good or bad. But the, you know, the English use of English language because of AI has gotten much, much better.
[18:30]
Dave Bittner
So suppose I'm the security professional at my organization and I want to go down the hall and talk to my, my chief financial officer, maybe some folks in HR who are taking care of payroll or, you know, those kinds of things, what sort of topics should I be bringing up with them for them to have on their radar?
[18:49]
Alex Cox
Yeah, I mean, so what I always tell people is, you know, be suspicious, right? When you, when you get that text message that says, hey, this is the irs, you know, you owe us money, look a little closer at it, right? So I'll give you an example. I had a friend send me one this morning and, and she said, hey, is this, you know, is this phishing? And I looked at It. And it was very believable from the usps, you know, apparently. But the domain was a DOT CC domain. So, you know, dot CC is Cocos island in Australia. The IRS or USPS is probably not going to use that infrastructure. You know, they're probably going to use a.com or us or something in the U.S. right. You know, so. So being kind of suspicious there. The other thing I tell people is, you know, especially when it comes to tax information, if the IRS wants to get a hold of you, they're gonna. They're gonna do so in many different ways, right? So maybe you will get a text message, you know, at some point, because you do get text messages that say, hey, your federal return has been accepted. If you go to the IRS website, you'll also see your tax info there, right. If you look in your mailbox, you probably will get a letter from the IRS as well. So it's one of those, like, okay, here's the single point of info. Let me see if I can verify it in other places. But, yeah, I think largely just being very suspicious, you know, as to any single point of information that you just sort of suddenly get out of nowhere, you know, be suspicious of it.
[20:04]
Dave Bittner
Just going broader now, you know, folks like you and your colleagues there at LastPass who are in the password manager business, what part do offerings like yours play in this? You know, not just the ones that you do, but, you know, your competitors. What sort of safety and mitigations do people enjoy from having that extra layer?
[20:27]
Alex Cox
Yeah, so, you know, so really, I think the most important thing with a password manager is that you're able to create unique passwords for each site that you use. And the reason that's important is when the bad guys get a hold of, you know, say, a trove of username and passwords, you know, they'll take Alex Cox at Whatever and Password Fluffy, and they'll try that in 50, 100 different sites to see if you've reused that same password over and over again. So when you use a password manager and you're creating those individual complex passwords, if the bad guys get a hold of one of those, they just have access to one site. They don't have access to everything. So that's the main advantage for me, is that I can create this unique password for every single site. I don't have to remember them. They'd be very hard to guess. And it just kind of increases your security that way.
[21:14]
Dave Bittner
The other thing I'll add is something I've noticed, is that it can catch. If I'm at a lookalike site, you know, I'll say, hey, I want to log in here. And it'll say, wait a minute, that's not. We're not actually at, you know, Microsoft. We're not actually at Facebook or wherever else. Yeah, so hang on there.
[21:34]
Alex Cox
Yeah, there are, you know, varying ways to approach that problem. Like, one of the things that we do in LastPass is if you're going to paste your information into someplace that LastPass hasn't seen before, it'll actually pop up with a little note that says you're about to pay some info into the site. Are you sure you want to do that? Right. So it gives you that, that little bit of security, that little bit of second check to make sure you're doing what you intend to do. But yeah, absolutely. Like, being able to detect those sites that aren't actually the sites that you have in your vaults is a pretty important feature. Foreign.
[22:17]
Dave Bittner
Let'S be real. Navigating security compliance can feel like assembling IKEA furniture without the instructions. You know you need it, but it takes forever and you're never quite sure if you've done it right. That's where Vanta comes in. Vanta is a trust management platform that automates up to 90% of the work for frameworks like SoC2, ISO 27001 and HIPAA, getting you audit ready in weeks, not months. Whether you're a founder, an engineer, or managing it and security for the first time, Vanta helps you prove your security posture without taking over your Life. More than 10,000 companies, including names like Atlassian and Quora, trust Vanta to monitor compliance, streamline risk, and speed up security reviews by up to five times. And the roi. A recent IDC report found Vanta saves businesses over half a million dollars a year and pays for itself in just three months. For a limited time, you can get $1,000 off vanta@vanta.com cyber. That's V A N T A dot com. And finally, our Speaking from Beyond the grave desk tells us of the story of an Arizona courtroom that just heard from a murder victim, but not in the usual way. Christopher Pelke was shot and killed in a 2021 road rage incident. At the sentencing, an AI generated version of him took the stand. That's right. His sister built an avatar using AI and voice cloning tools. It looked and sounded like Kris and it spoke directly to the man who killed him. The avatar forgave the shooter. It said they could have been friends. The judge was moved. The defense even quoted the avatar. The family said their goal was to bring Chris back, to humanize him. And it worked. No one objected. It was all labeled as AI. Still, it raises big questions. Tech gave a voice to the dead, and that voice helped decide a sentence. As powerful as this moment was, we should tread carefully before letting digital ghosts shape real world justice. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com a quick program note. You can join me for a live webinar Tuesday, May 13. It's titled on the State of Modern Web Application Security. Join me and Outpost24's Laura Enriquez and Michaelo Stipa on May 13, 12pm Eastern Time for this live webinar that dives into the biggest threats hitting web applications today and what you can do about them. We're going to talk about why attackers still love Web apps in 2025. The latest threat trends shaping the security landscape how to spot and prioritize critical vulnerabilities fast, along with scalable practical steps to strengthen your defenses. Again, the webinar is titled on the State of Modern Web Application Security. Tuesday at noon Eastern time. We'll have a link to register in the Show Notes. Be sure to check out this weekend's Research Saturday and my conversation with Lucia Valente from Reversing Labs. The research is titled Atomic and Exodus Crypto Wallets Targeted in Malicious NPM Campaign. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. What's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets with bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory entra ID and hybrid configurations. Identity leaders are reducing such risks with attack path management. You can learn how Attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by Spectrops. Head to Spectrops IO today to learn more. Spectrops see your attack paths the way adversaries do.