CyberWire Daily: "ShadyPanda’s patient poisoning."

Date: December 2, 2025
Host: Dave Bittner (N2K Networks)
Special Segment: Threat Vector with David Moulton and Stav Seti

Episode Overview

This episode of CyberWire Daily focuses on several pressing cybersecurity incidents and industry trends, with in-depth reports on malicious browser extension campaigns (including ShadyPanda), government-driven cybersecurity mandates, major data breaches, and critical product recalls due to cyber vulnerabilities. The episode also features a deep-dive Threat Vector interview on the "Jingle Thief" campaign—an advanced, identity-driven cloud fraud operation.

Key Discussion Points and Insights

1. ShadyPanda’s Malicious Browser Extensions

[03:13 – 05:17]

Incident Summary: KOI researchers discovered a sophisticated, long-running campaign where the ShadyPanda group distributed seemingly legitimate Chrome and Edge browser extensions to slowly amass a user base before covertly activating malicious capabilities.
- Over 4.3 million users infected over seven years.
- Extensions, including “CleanMaster” and “WeTab”, were updated with spyware/backdoors.
- Some extensions exfiltrated full browsing activity and performed anti-analysis.
- Extensions remain live on the Microsoft Edge store.
Marketplace Flaw Highlighted:
“Extension stores review submissions but do not monitor updates after approval.”
— Dave Bittner, [04:45]

2. India’s Mobile Security Mandate

[05:36 – 06:29]

Policy Change: All buyers and sellers of new and used smartphones must verify phone IMEIs against a central database.
Mandatory App Deployment:
- The government’s anti-theft app “Sanchar Saathi” must be pre-installed on new devices and pushed to older ones.
- Apple refuses compliance, citing privacy concerns.
Privacy Concerns:
“Critics say mandatory installation expands state access to personal devices without adequate safeguards.”
— Dave Bittner, [06:22]

3. South Korea’s Coupang Data Breach

[06:31 – 07:10]

Scope: Attackers accessed data of at least 30 million users over 5 months.
Response: President orders urgent investigation and considers punitive damages—the first move away from “compensatory only” data breach models.
Quote:
“Five month undetected leak—astonishing in scale.”
— Summary, [06:34]

4. Qualcomm’s Critical Device Flaw

[07:11 – 08:00]

Nature of Threat:
- Six high-priority vulnerabilities, including a secure boot flaw that could allow persistent malware/rootkit installation before OS loads.
- Five additional vulnerabilities affect system firmware and major device subsystems.
Patch Status: Qualcomm urges immediate update and is distributing patches to manufacturers.

5. OpenAI Codex CLI and Google Android Zero Days

[08:01 – 08:40]

OpenAI CLI Vulnerability:
- Codex CLI trusted configs, enabling silent remote code execution on developer machines.
- Potential for supply chain attacks through compromised repositories/templates.
Google Android:
- Security Bulletin fixes 51 zero-days (with 56 more pending).
- Three framework vulnerabilities are under active exploitation across Android 13–16.

6. Baxter Life 2000 Ventilator Recall (Patient Poisoning Theme)

[08:41 – 09:35]

Event: FDA demands permanent recall of at-home ventilators after discovery of a cyber vulnerability enabling therapy setting alteration or data access.
Severity:
“Continued use could cause serious injury or death.”
— FDA, [09:14]
Unusual Step: Security experts note “a permanent recall for a cyber issue is rare.”

7. Switzerland’s SaaS and Cloud Security Warning

[09:36 – 10:21]

Swiss data authorities advise public bodies to avoid most SaaS/cloud platforms due to:
- Weaknesses in end-to-end encryption
- Risks stemming from foreign jurisdiction (e.g., U.S. Cloud Act)
- Provider ability to unilaterally change terms

8. Cyber Insurance Market Shift

[10:22 – 11:05]

Beasley (major cyber insurer) pulls back from the market after losses from ransomware surge.
- Cyber gross written premiums down 8% YTD.
- UK cyber claims rose by 230% YoY.

Threat Vector Segment: "Inside the Jingle Thief Campaign"

[14:21 – 18:58]
Host: David Moulton (Unit 42, Palo Alto Networks)
Guest: Stav Seti (Principal Researcher, Unit 42)

Segment Overview

A detailed conversation around the “Jingle Thief” campaign—an advanced, financially driven operation exploiting Microsoft 365 cloud identity features to commit extensive gift card fraud against major global retailers.

Key Points and Memorable Quotes

Nature of Attackers and Technique:
“As Stav puts it, attackers don’t need exploits or malware anymore. They just need to compromise identities. One stolen account can become dozens in a matter of months, all while they sit inside your cloud environment using your own workflows against you.”
— David Moulton, [14:30]
Overview of the Jingle Thief Campaign:
- Financially motivated attackers (likely “Atlas Line” from Morocco, active since 2021).
- No malware or exploits: Relies solely on living off the land in cloud environments—especially Microsoft 365.
- Attackers can remain undetected for months (“over 10 months” in some cases).
- Focused on gift card fraud versus traditional ransomware.
Unique Characteristics:
- Patience and discipline (long-term persistence within orgs)
- Unusual focus on gift card theft through cloud identity compromise
  
  Quote:
  “What makes it even more fascinating is that this is in the cloud. There's no malware, there's no exploits. They're purely living in Microsoft 365, which is a bit unusual.”
  — Stav Seti, [15:49]
Major Lessons for Security Teams:
- Multi-Factor Authentication (MFA) ≠ Safety; must not be treated as absolute security.
- Monitor closely for all new password resets, device enrollments, and login anomalies.
- Attacks can occur without tripping traditional endpoint/malware alarms.
Quote:
“A lot of times security teams will say, ‘hey, MFA, that equals safety.’ And I think it's really important to recognize that MFA is not safe… they should really monitor every new password, reset every new device enrollment… all that needs to be monitored.”
— Stav Seti, [18:10]
Key Takeaway:
“Jingle Thief shows how identity-based compromise turns trusted cloud features into a revenue engine for attackers and why identity really is the new perimeter.”
— David Moulton, [18:58]

[Special episode available: "Inside Jingle Feed Cloud Fraud Unwrapped"]

Other Industry News Briefs

Russia/Porsche Satellite Security Outage
- Hundreds of Porsches in Russia disabled after the factory vehicle-tracking system lost connectivity.
- Drivers struggled with “sudden engine shutdowns and fuel blockages;” some managed to restore function via resets or battery tricks.
- Rumors of “deliberate interference” but no evidence to support this.
  — [21:17–21:54]

Memorable Moments & Quotes

On marketplace failings:
“Extension stores review submissions but do not monitor updates after approval.”
— Dave Bittner, [04:45]
On cloud identity risk:
“Attackers don’t need exploits or malware anymore. They just need to compromise identities.”
— David Moulton, [14:30]
On gift card fraud strategy:
“In one case... we saw them active in an organization for over 10 months, which is really crazy. That kind of patience made us go, hey, this is really something different here.”
— Stav Seti, [17:18]
On MFA:
“MFA is not safe… all that needs to be monitored.”
— Stav Seti, [18:10]

Important Timestamps

ShadyPanda campaign breakdown: [03:13 – 05:17]
India’s mobile security program expansion: [05:36 – 06:29]
Coupang breach response: [06:31 – 07:10]
Qualcomm vulnerabilities: [07:11 – 08:00]
OpenAI and Google patches: [08:01 – 08:40]
Baxter ventilator recall: [08:41 – 09:35]
Switzerland cloud guidance: [09:36 – 10:21]
Insurance retreat after ransomware surge: [10:22 – 11:05]
Threat Vector: Jingle Thief campaign interview: [14:21 – 18:58]
Porsche satellite system failure in Russia: [21:17 – 21:54]

Summary

This episode underscores the evolving risks in the cyber landscape: the growing sophistication of threat actors who exploit user trust and slow marketplace responses (e.g., ShadyPanda extensions), the expanding regulatory and technological responses to device theft and privacy, the mounting impact of massive data breaches and supply-chain risks, and the dramatic new stakes in safety-critical IoT and medical device security. The extended Threat Vector segment provides real-world lessons about how attackers exploit cloud identity, what defenders get wrong about MFA, and why security teams must rethink the definition of cloud “perimeter.”

Identity is the new battleground—and even basic features can turn into vulnerabilities if trust is unchecked.

Transcript

A (0:02)

You're listening to the Cyberwire Network powered by N2K. AI agents are now reading sensitive data, executing actions and making decisions across our environments. But are we managing their access safely? Join Dave Bittner and Barak Shalef from Oasis Security on on Wednesday, December 3rd at 1pm Eastern for a live discussion on agentic access management and how to secure non human identities without slowing. Innovation can't make it live. Register now to get on demand access after the event, visit events.thecyberwire.com that's events with an s.thecyberwire.com to save your spot.

B (1:01)

Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. Shadypanda plays the long game India mandates tracking software on mobile devices Korea weighs punitive damages after a massive breach Qualcomm patches a critical boot flaw impacting millions OpenAI patches a codec CLI vulnerability Google patches Android zero days Cybersecurity issues prompt an FDA permanent recall for an at home ventilator system Switzerland questions the security of Hyperscale clouds and SaaS services one of the world's largest cyber insurers pulls back from the market on our Threat Vector segment. David Moulton sits down with Stavsetti to unpack the Jingle Thief campaign. And in Russia, Porsches take a hol. It's Tuesday, December 2, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great to have you with us. A seven year campaign used seemingly legitimate Chrome and Edge extensions to infect 4.3 million users with backdoors and spyware, according to KOI researchers. The group dubbed Shadypanda published clean extensions, waited years to build large user databases, then pushed malicious updates that auto installed across all devices. Five extensions with more than 4 million installs remain live in the Microsoft Edge store. One campaign delivered a remote code execution backdoor to 300,000 users through five extensions, including one named CleanMaster, which exfiltrated full browsing activity to attacker controlled servers and included anti analysis features. Another set of five edge extensions, including the 3 million install WeTab, still collects extensive behavioral data and sends it in real time to servers in China and Google Analytics. Earlier campaigns silently monetized user traffic or hijacked searches. Koi says the incidents highlight a core marketplace weakness. Extension stores review submissions but do not monitor updates after approval. India is expanding its anti theft and cybersecurity program to cover new and used smartphones, according to reporting from Reuters and also confirmed by the Telecom Ministry. Companies that buy or trade second hand devices must now verify each phone's IMEI number against a central database. The move follows a directive requiring manufacturers to pre install the government's Sanchar Saathi app on new phones and push it to existing devices through software updates. Sanchar Saathi has blocked or traced millions of stolen phones and has seen rapid adoption since its 2023 launch. Critics say mandatory installation expands state access to personal devices without adequate safeguards. Apple has told officials it will not comply, citing privacy and security concerns for its ecosystem. South Korean President Lee Jae Myung ordered a rapid investigation into Coupang's massive data breach, calling the five month undetected leak astonishing in scale. Officials say information tied to at least 30 million users was accessed after an attacker exploited an electronic signature key. The government is considering punitive damages to deter future lapses, a shift from Korea's compensatory only model. Coupang's CEO said the company will comply with penalties that could reach record levels. Police have not confirmed the attacker's identity. Qualcomm issued an urgent security bulletin warning of six high priority vulnerabilities across millions of devices. The most serious threatens the secure boot process that protects devices during startup. Qualcomm says an attacker could bypass checks, install persistent malware or gain control before the operating system loads. The flaw was found internally, raising questions about how long it existed in deployed devices. Five additional vulnerabilities affect the high level operating system, trusted zone firmware, audio, DSP services and camera functions. Qualcomm is distributing patches to manufacturers and urges immediate deployment. Users should check with their device makers for update timelines. OpenAI patched a Codex CLI vulnerability that allowed malicious commands to run automatically on developers machines, according to Checkpoint. The tool implicitly trusted configuration files inside local repositories and executed their instructions without user approval. Attackers who could commit or merge crafted configs could trigger remote access, command execution, credential theft and lateral movement, creating a reproducible supply chain backdoor. Compromised templates or popular repos could also infect downstream users. Google's latest Android Security Bulletin disclosed 107 zero day vulnerabilities affecting Android and the Android Open Source Project. 51 flaws were patched on December 1, including three high impact issues in the Android framework. Google says two may be under limited targeted exploitation and can enable unauthorized information disclosure or elevated access across Android 13 through 16. A third flaw could trigger remote denial of service. Google says they'll release the remaining 56 patches on December 5th. The FDA has issued a permanent recall for Baxter's Life 2000 at Home ventilator system, citing an unspecified cybersecurity issue that could let someone with physical access alter therapy settings or access device data. Baxter began notifying patients in April, but the FDA's public alert came in late November, warning that continued use could cause serious injury or death. Patients are urged to stop using the device and consult providers for replacements. Baxter reports no related injuries or Deaths as of April 10. It remains unclear whether this recall is connected to earlier life 2000 advisories involving multiple vulnerabilities. Security experts say a permanent recall for a cyber issue is rare and signals significant patient safety concerns, while noting that neither Baxter nor the FDA has detailed the specific flaw involved. Switzerland's Conference of Data Protection Officers, Privatim issued a resolution urging public bodies to avoid hyperscale clouds and most SaaS services due to security risks. The group warns that many SaaS platforms lack true end to end encryption and that providers, especially those subject to the US Cloud act, could access sensitive data. Privatim also notes that vendors can change terms unilaterally, reducing government control. The resolution concludes that large international SaaS offerings, including Microsoft 365, are generally inappropriate for handling particularly sensitive Swiss government data. Beasley, one of the world's largest cyber insurers, is pulling back from the market as rising ransomware and hacking claims drive higher losses. According to the Financial Times, the company's cyber gross written premiums fell 8% to $848 million through September, and executives cite geopolitical volatility as fueling more costly attacks. While Beasley reduces its exposure, rivals like Chubb and AIG are maintaining or expanding their cyber books. Premiums have been declining since early 2024 due to intense competition for a limited pool of buyers the sector strain shows up in the UK as well, where the association of British insurers reports a 230% year over year surge in cyber claims driven largely by malware and ransomware incidents. Coming up after the break on our Threat Vector segment, David Moulton sits down with Stav Seti to unpack the Jingle Thief campaign. And in Russia, Porsches take a holiday, stick around. What's your 2am Security worry? Is it do I have the right controls in place? Maybe? Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks and keep your program audit ready all a time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber. AI is transforming every industry, but it's also creating new risks that traditional frameworks can't keep up with. Assessments today are fragmented, overlapping and often specific to industries, geographies or regulations. That's why Black kite created the BKGA3AI assessment framework to give cybersecurity and risk teams a unified, evolving standard for measuring AI risk across their own organizations and their vendors. AI use it's global, research driven, built to evolve with the threat landscape and free to use because Black Kite is committed to strengthening the entire cybersecurity community. Learn more@blackkite.com. On today's Threat Vector segment, David Moulton, Senior Director of thought leadership at Unit 42 with Palo Alto Networks, sits down with Stav Seti, principal researcher at Palo Alto Networks, to unpack the Jingle Thief Cloud Only Identity Driven campaign.