CyberWire Daily: "ShadyPanda’s patient poisoning."

Date: December 2, 2025
Host: Dave Bittner (N2K Networks)
Special Segment: Threat Vector with David Moulton and Stav Seti

Episode Overview

This episode of CyberWire Daily focuses on several pressing cybersecurity incidents and industry trends, with in-depth reports on malicious browser extension campaigns (including ShadyPanda), government-driven cybersecurity mandates, major data breaches, and critical product recalls due to cyber vulnerabilities. The episode also features a deep-dive Threat Vector interview on the "Jingle Thief" campaign—an advanced, identity-driven cloud fraud operation.

Key Discussion Points and Insights

1. ShadyPanda’s Malicious Browser Extensions

[03:13 – 05:17]

Incident Summary: KOI researchers discovered a sophisticated, long-running campaign where the ShadyPanda group distributed seemingly legitimate Chrome and Edge browser extensions to slowly amass a user base before covertly activating malicious capabilities.
- Over 4.3 million users infected over seven years.
- Extensions, including “CleanMaster” and “WeTab”, were updated with spyware/backdoors.
- Some extensions exfiltrated full browsing activity and performed anti-analysis.
- Extensions remain live on the Microsoft Edge store.
Marketplace Flaw Highlighted:
“Extension stores review submissions but do not monitor updates after approval.”
— Dave Bittner, [04:45]

2. India’s Mobile Security Mandate

[05:36 – 06:29]

Policy Change: All buyers and sellers of new and used smartphones must verify phone IMEIs against a central database.
Mandatory App Deployment:
- The government’s anti-theft app “Sanchar Saathi” must be pre-installed on new devices and pushed to older ones.
- Apple refuses compliance, citing privacy concerns.
Privacy Concerns:
“Critics say mandatory installation expands state access to personal devices without adequate safeguards.”
— Dave Bittner, [06:22]

3. South Korea’s Coupang Data Breach

[06:31 – 07:10]

Scope: Attackers accessed data of at least 30 million users over 5 months.
Response: President orders urgent investigation and considers punitive damages—the first move away from “compensatory only” data breach models.
Quote:
“Five month undetected leak—astonishing in scale.”
— Summary, [06:34]

4. Qualcomm’s Critical Device Flaw

[07:11 – 08:00]

Nature of Threat:
- Six high-priority vulnerabilities, including a secure boot flaw that could allow persistent malware/rootkit installation before OS loads.
- Five additional vulnerabilities affect system firmware and major device subsystems.
Patch Status: Qualcomm urges immediate update and is distributing patches to manufacturers.

5. OpenAI Codex CLI and Google Android Zero Days

[08:01 – 08:40]

OpenAI CLI Vulnerability:
- Codex CLI trusted configs, enabling silent remote code execution on developer machines.
- Potential for supply chain attacks through compromised repositories/templates.
Google Android:
- Security Bulletin fixes 51 zero-days (with 56 more pending).
- Three framework vulnerabilities are under active exploitation across Android 13–16.

6. Baxter Life 2000 Ventilator Recall (Patient Poisoning Theme)

[08:41 – 09:35]

Event: FDA demands permanent recall of at-home ventilators after discovery of a cyber vulnerability enabling therapy setting alteration or data access.
Severity:
“Continued use could cause serious injury or death.”
— FDA, [09:14]
Unusual Step: Security experts note “a permanent recall for a cyber issue is rare.”

7. Switzerland’s SaaS and Cloud Security Warning

[09:36 – 10:21]

Swiss data authorities advise public bodies to avoid most SaaS/cloud platforms due to:
- Weaknesses in end-to-end encryption
- Risks stemming from foreign jurisdiction (e.g., U.S. Cloud Act)
- Provider ability to unilaterally change terms

8. Cyber Insurance Market Shift

[10:22 – 11:05]

Beasley (major cyber insurer) pulls back from the market after losses from ransomware surge.
- Cyber gross written premiums down 8% YTD.
- UK cyber claims rose by 230% YoY.

Threat Vector Segment: "Inside the Jingle Thief Campaign"

[14:21 – 18:58]
Host: David Moulton (Unit 42, Palo Alto Networks)
Guest: Stav Seti (Principal Researcher, Unit 42)

Segment Overview

A detailed conversation around the “Jingle Thief” campaign—an advanced, financially driven operation exploiting Microsoft 365 cloud identity features to commit extensive gift card fraud against major global retailers.

Key Points and Memorable Quotes

Nature of Attackers and Technique:
“As Stav puts it, attackers don’t need exploits or malware anymore. They just need to compromise identities. One stolen account can become dozens in a matter of months, all while they sit inside your cloud environment using your own workflows against you.”
— David Moulton, [14:30]
Overview of the Jingle Thief Campaign:
- Financially motivated attackers (likely “Atlas Line” from Morocco, active since 2021).
- No malware or exploits: Relies solely on living off the land in cloud environments—especially Microsoft 365.
- Attackers can remain undetected for months (“over 10 months” in some cases).
- Focused on gift card fraud versus traditional ransomware.
Unique Characteristics:
- Patience and discipline (long-term persistence within orgs)
- Unusual focus on gift card theft through cloud identity compromise
  
  Quote:
  “What makes it even more fascinating is that this is in the cloud. There's no malware, there's no exploits. They're purely living in Microsoft 365, which is a bit unusual.”
  — Stav Seti, [15:49]
Major Lessons for Security Teams:
- Multi-Factor Authentication (MFA) ≠ Safety; must not be treated as absolute security.
- Monitor closely for all new password resets, device enrollments, and login anomalies.
- Attacks can occur without tripping traditional endpoint/malware alarms.
Quote:
“A lot of times security teams will say, ‘hey, MFA, that equals safety.’ And I think it's really important to recognize that MFA is not safe… they should really monitor every new password, reset every new device enrollment… all that needs to be monitored.”
— Stav Seti, [18:10]
Key Takeaway:
“Jingle Thief shows how identity-based compromise turns trusted cloud features into a revenue engine for attackers and why identity really is the new perimeter.”
— David Moulton, [18:58]

[Special episode available: "Inside Jingle Feed Cloud Fraud Unwrapped"]

Other Industry News Briefs

Russia/Porsche Satellite Security Outage
- Hundreds of Porsches in Russia disabled after the factory vehicle-tracking system lost connectivity.
- Drivers struggled with “sudden engine shutdowns and fuel blockages;” some managed to restore function via resets or battery tricks.
- Rumors of “deliberate interference” but no evidence to support this.
  — [21:17–21:54]

Memorable Moments & Quotes

On marketplace failings:
“Extension stores review submissions but do not monitor updates after approval.”
— Dave Bittner, [04:45]
On cloud identity risk:
“Attackers don’t need exploits or malware anymore. They just need to compromise identities.”
— David Moulton, [14:30]
On gift card fraud strategy:
“In one case... we saw them active in an organization for over 10 months, which is really crazy. That kind of patience made us go, hey, this is really something different here.”
— Stav Seti, [17:18]
On MFA:
“MFA is not safe… all that needs to be monitored.”
— Stav Seti, [18:10]

Important Timestamps

ShadyPanda campaign breakdown: [03:13 – 05:17]
India’s mobile security program expansion: [05:36 – 06:29]
Coupang breach response: [06:31 – 07:10]
Qualcomm vulnerabilities: [07:11 – 08:00]
OpenAI and Google patches: [08:01 – 08:40]
Baxter ventilator recall: [08:41 – 09:35]
Switzerland cloud guidance: [09:36 – 10:21]
Insurance retreat after ransomware surge: [10:22 – 11:05]
Threat Vector: Jingle Thief campaign interview: [14:21 – 18:58]
Porsche satellite system failure in Russia: [21:17 – 21:54]

Summary

This episode underscores the evolving risks in the cyber landscape: the growing sophistication of threat actors who exploit user trust and slow marketplace responses (e.g., ShadyPanda extensions), the expanding regulatory and technological responses to device theft and privacy, the mounting impact of massive data breaches and supply-chain risks, and the dramatic new stakes in safety-critical IoT and medical device security. The extended Threat Vector segment provides real-world lessons about how attackers exploit cloud identity, what defenders get wrong about MFA, and why security teams must rethink the definition of cloud “perimeter.”

Identity is the new battleground—and even basic features can turn into vulnerabilities if trust is unchecked.

CyberWire Daily: "ShadyPanda’s patient poisoning."

Date: December 2, 2025
Host: Dave Bittner (N2K Networks)
Special Segment: Threat Vector with David Moulton and Stav Seti

Episode Overview

Key Discussion Points and Insights

1. ShadyPanda’s Malicious Browser Extensions

[03:13 – 05:17]

Incident Summary: KOI researchers discovered a sophisticated, long-running campaign where the ShadyPanda group distributed seemingly legitimate Chrome and Edge browser extensions to slowly amass a user base before covertly activating malicious capabilities.
- Over 4.3 million users infected over seven years.
- Extensions, including “CleanMaster” and “WeTab”, were updated with spyware/backdoors.
- Some extensions exfiltrated full browsing activity and performed anti-analysis.
- Extensions remain live on the Microsoft Edge store.
Marketplace Flaw Highlighted:
“Extension stores review submissions but do not monitor updates after approval.”
— Dave Bittner, [04:45]

2. India’s Mobile Security Mandate

[05:36 – 06:29]

Policy Change: All buyers and sellers of new and used smartphones must verify phone IMEIs against a central database.
Mandatory App Deployment:
- The government’s anti-theft app “Sanchar Saathi” must be pre-installed on new devices and pushed to older ones.
- Apple refuses compliance, citing privacy concerns.
Privacy Concerns:
“Critics say mandatory installation expands state access to personal devices without adequate safeguards.”
— Dave Bittner, [06:22]

3. South Korea’s Coupang Data Breach

[06:31 – 07:10]

Scope: Attackers accessed data of at least 30 million users over 5 months.
Response: President orders urgent investigation and considers punitive damages—the first move away from “compensatory only” data breach models.
Quote:
“Five month undetected leak—astonishing in scale.”
— Summary, [06:34]

4. Qualcomm’s Critical Device Flaw

[07:11 – 08:00]

Nature of Threat:
- Six high-priority vulnerabilities, including a secure boot flaw that could allow persistent malware/rootkit installation before OS loads.
- Five additional vulnerabilities affect system firmware and major device subsystems.
Patch Status: Qualcomm urges immediate update and is distributing patches to manufacturers.

5. OpenAI Codex CLI and Google Android Zero Days

[08:01 – 08:40]

OpenAI CLI Vulnerability:
- Codex CLI trusted configs, enabling silent remote code execution on developer machines.
- Potential for supply chain attacks through compromised repositories/templates.
Google Android:
- Security Bulletin fixes 51 zero-days (with 56 more pending).
- Three framework vulnerabilities are under active exploitation across Android 13–16.

6. Baxter Life 2000 Ventilator Recall (Patient Poisoning Theme)

[08:41 – 09:35]

Event: FDA demands permanent recall of at-home ventilators after discovery of a cyber vulnerability enabling therapy setting alteration or data access.
Severity:
“Continued use could cause serious injury or death.”
— FDA, [09:14]
Unusual Step: Security experts note “a permanent recall for a cyber issue is rare.”

7. Switzerland’s SaaS and Cloud Security Warning

[09:36 – 10:21]

Swiss data authorities advise public bodies to avoid most SaaS/cloud platforms due to:
- Weaknesses in end-to-end encryption
- Risks stemming from foreign jurisdiction (e.g., U.S. Cloud Act)
- Provider ability to unilaterally change terms

8. Cyber Insurance Market Shift

[10:22 – 11:05]

Beasley (major cyber insurer) pulls back from the market after losses from ransomware surge.
- Cyber gross written premiums down 8% YTD.
- UK cyber claims rose by 230% YoY.

Threat Vector Segment: "Inside the Jingle Thief Campaign"

[14:21 – 18:58]
Host: David Moulton (Unit 42, Palo Alto Networks)
Guest: Stav Seti (Principal Researcher, Unit 42)

Segment Overview

Key Points and Memorable Quotes

Nature of Attackers and Technique:
“As Stav puts it, attackers don’t need exploits or malware anymore. They just need to compromise identities. One stolen account can become dozens in a matter of months, all while they sit inside your cloud environment using your own workflows against you.”
— David Moulton, [14:30]
Overview of the Jingle Thief Campaign:
- Financially motivated attackers (likely “Atlas Line” from Morocco, active since 2021).
- No malware or exploits: Relies solely on living off the land in cloud environments—especially Microsoft 365.
- Attackers can remain undetected for months (“over 10 months” in some cases).
- Focused on gift card fraud versus traditional ransomware.
Unique Characteristics:
- Patience and discipline (long-term persistence within orgs)
- Unusual focus on gift card theft through cloud identity compromise
  
  Quote:
  “What makes it even more fascinating is that this is in the cloud. There's no malware, there's no exploits. They're purely living in Microsoft 365, which is a bit unusual.”
  — Stav Seti, [15:49]
Major Lessons for Security Teams:
- Multi-Factor Authentication (MFA) ≠ Safety; must not be treated as absolute security.
- Monitor closely for all new password resets, device enrollments, and login anomalies.
- Attacks can occur without tripping traditional endpoint/malware alarms.
Quote:
“A lot of times security teams will say, ‘hey, MFA, that equals safety.’ And I think it's really important to recognize that MFA is not safe… they should really monitor every new password, reset every new device enrollment… all that needs to be monitored.”
— Stav Seti, [18:10]
Key Takeaway:
“Jingle Thief shows how identity-based compromise turns trusted cloud features into a revenue engine for attackers and why identity really is the new perimeter.”
— David Moulton, [18:58]

[Special episode available: "Inside Jingle Feed Cloud Fraud Unwrapped"]

Other Industry News Briefs

Russia/Porsche Satellite Security Outage
- Hundreds of Porsches in Russia disabled after the factory vehicle-tracking system lost connectivity.
- Drivers struggled with “sudden engine shutdowns and fuel blockages;” some managed to restore function via resets or battery tricks.
- Rumors of “deliberate interference” but no evidence to support this.
  — [21:17–21:54]

Memorable Moments & Quotes

On marketplace failings:
“Extension stores review submissions but do not monitor updates after approval.”
— Dave Bittner, [04:45]
On cloud identity risk:
“Attackers don’t need exploits or malware anymore. They just need to compromise identities.”
— David Moulton, [14:30]
On gift card fraud strategy:
“In one case... we saw them active in an organization for over 10 months, which is really crazy. That kind of patience made us go, hey, this is really something different here.”
— Stav Seti, [17:18]
On MFA:
“MFA is not safe… all that needs to be monitored.”
— Stav Seti, [18:10]

Important Timestamps

ShadyPanda campaign breakdown: [03:13 – 05:17]
India’s mobile security program expansion: [05:36 – 06:29]
Coupang breach response: [06:31 – 07:10]
Qualcomm vulnerabilities: [07:11 – 08:00]
OpenAI and Google patches: [08:01 – 08:40]
Baxter ventilator recall: [08:41 – 09:35]
Switzerland cloud guidance: [09:36 – 10:21]
Insurance retreat after ransomware surge: [10:22 – 11:05]
Threat Vector: Jingle Thief campaign interview: [14:21 – 18:58]
Porsche satellite system failure in Russia: [21:17 – 21:54]

Summary

Identity is the new battleground—and even basic features can turn into vulnerabilities if trust is unchecked.

ShadyPanda’s patient poisoning.

Powered by Wave AI

Summary

CyberWire Daily: "ShadyPanda’s patient poisoning."

Episode Overview

Key Discussion Points and Insights

1. ShadyPanda’s Malicious Browser Extensions

2. India’s Mobile Security Mandate

3. South Korea’s Coupang Data Breach

4. Qualcomm’s Critical Device Flaw

5. OpenAI Codex CLI and Google Android Zero Days

6. Baxter Life 2000 Ventilator Recall (Patient Poisoning Theme)

7. Switzerland’s SaaS and Cloud Security Warning

8. Cyber Insurance Market Shift

Threat Vector Segment: "Inside the Jingle Thief Campaign"

Segment Overview

Key Points and Memorable Quotes

[Special episode available: "Inside Jingle Feed Cloud Fraud Unwrapped"]

Other Industry News Briefs

Memorable Moments & Quotes

Important Timestamps

Summary

Summary

CyberWire Daily: "ShadyPanda’s patient poisoning."

Episode Overview

Key Discussion Points and Insights

1. ShadyPanda’s Malicious Browser Extensions

2. India’s Mobile Security Mandate

3. South Korea’s Coupang Data Breach

4. Qualcomm’s Critical Device Flaw

5. OpenAI Codex CLI and Google Android Zero Days

6. Baxter Life 2000 Ventilator Recall (Patient Poisoning Theme)

7. Switzerland’s SaaS and Cloud Security Warning

8. Cyber Insurance Market Shift

Threat Vector Segment: "Inside the Jingle Thief Campaign"

Segment Overview

Key Points and Memorable Quotes

[Special episode available: "Inside Jingle Feed Cloud Fraud Unwrapped"]

Other Industry News Briefs

Memorable Moments & Quotes

Important Timestamps

Summary