Risky Bulletin: Plone CMS Stops Supply-Chain Attack
Podcast: Risky Bulletin | Host: risky.biz
Episode Date: February 4, 2026 | Read by Claire Aird, Reported by Catalin Cimpanu
Episode Overview
This episode of the Risky Bulletin delivers a rapid-fire roundup of the latest cybersecurity news, focusing on supply-chain attacks, data leaks, law enforcement actions, major breaches, and new vulnerabilities. The headline story covers how the Plone CMS averted a targeted supply-chain compromise, with additional updates on malicious AI skills, high-profile raids, new malware, and security industry shifts.
Key Discussion Points & Insights
1. Plone CMS Supply Chain Breach Averted
[00:04-01:05]
- Incident Summary:
- An attacker compromised a developer on the Plone CMS project, using their account token to insert malicious code designed to steal credentials, API keys, and crypto wallet data.
- The attack specifically targeted developers working with Plone, not end-users.
- Response: The malicious modifications were detected and removed before the code made it into release.
- Attribution: GitHub security team discovered the issue.
"A threat actor managed to insert code into the Plone CMS project, but the modifications were removed before release." – Claire Aird, [00:13]
2. Surge in Malicious OpenClaw AI Skills
[01:06-02:10]
- Rapid Growth:
- Malicious skills on the Clawhub portal jumped from 28 to 400 in a single week.
- OpenClaw is an open-source AI assistant platform, formerly called Claudebot/Maltbot.
- User Impact:
- Attackers use skills to steal credentials or deploy malware via add-ons.
- Associated Incident:
- 1.5 million API tokens leaked from the Maltbook AI platform (OpenClaw’s social network) due to a misconfigured Supabase database.
- Leak included tokens, agent messages, and owner information.
- Cloud security firms Permeso and Wiz reported the leak.
"Security researchers recently spotted a growing number of malicious open claw skills that steal user credentials or or deploy malware." – Claire Aird, [01:21]
3. OpenVSX Marketplace Security Upgrades
[02:11-02:35]
- Platform Changes:
- The Eclipse Foundation will introduce security scans for malicious code, typo-squatted names, and leaked credentials on their VS Code extension marketplace, OpenVSX.
- Background:
- OpenVSX has previously hosted hundreds of malicious extensions, including “Glassworm,” a self-replicating malware.
4. X (Ex-Twitter) Office Raids and Criminal Investigation
[02:36-03:05]
- Law Enforcement:
- Europol and French authorities raided X's Paris offices as part of a probe into child sexual abuse images and deepfakes allegedly generated using the platform’s Grok AI feature.
- Former and current CEOs (Elon Musk and Linda Yaccarino) summoned for April hearings.
5. Automated License Plate Reader Shutdown in Mountain View
[03:06-03:23]
- City Action:
- Mountain View disabling Flock automated license plate readers after unauthorized data access by out-of-state agencies and inadequate notifications from vendor.
6. Chinese APT Hacked Notepad App Servers
[03:24-03:58]
- Attack Overview:
- Rapid7 attributes a six-month breach of Notepad app servers to Chinese APT groups Billbug and Lotus Blossom.
- Impact:
- Attackers shipped malicious updates to specific targets.
- They deployed a new backdoor named Chrysalis.
"A Chinese state hacking group spent six months inside the server infrastructure of the Notepad app." – Claire Aird, [03:24]
7. Ransomware, Extortion, and Cryptocurrency Thefts
[03:59-05:25]
- Belgian High School Breach:
- Attackers extorting parents (€50 each) after school refused €15,000 ransom.
- Step Finance Hack:
- $30 million in tokens stolen; token value dropped 80%.
- CrossCurve Cryptocurrency Bridge Breach:
- $3 million stolen; CEO threatens legal action if funds not returned.
- NationStates Browser Game:
- Player accessed and exfiltrated game source code, emails, passwords, IPs; has apologized.
- Canada Computers Retailer:
- Skimmer attack collected card data from guest checkout users in December.
8. Meta (WhatsApp) Moves to Rust for Media Handling
[05:26-05:48]
- Security Enhancement:
- Meta adopts Rust to handle WhatsApp media files, addressing memory safety vulnerabilities from legacy C/C++ code.
9. Recent Vulnerabilities & Malicious Activity
[05:49-06:45]
- Citrix ADC/Netscaler Recon:
- Over 60,000 residential IPs probing for login pages.
- CISA Vulnerability Updates:
- 59 KEV vulnerabilities re-categorized as ransomware attack vectors; change went unannounced.
- Metro Development Server (React Native):
- OS command injection flaw targeted
- Nitrogen Ransomware Issue:
- Variant corrupts VMware ESXi files irrecoverably; security firm urges not to pay ransom.
10. Underground Cybercrime Shifts
[06:46-07:19]
- Globalman Exit Scam:
- Stolen code signing certificates marketplace vanishes, taking users’ funds.
- Naish Team Persistence:
- Evaded Russian crackdown, reestablished infrastructure; specializes in remote access trojans since 2022.
11. Meta Ad Scams in Europe
[07:20-07:46]
- Scale of Fraud:
- One third of Meta ads in Europe/UK over 23 days linked to online scams.
- Attribution:
- 10 advertisers responsible for more than half of bad ads; infrastructure tied to China and Hong Kong.
"A small cluster of 10 advertisers were responsible for more than 50 of the malicious ads." – Claire Aird, [07:38]
Notable Quotes & Memorable Moments
-
On the Plone breach:
"The code targeted developers working with Plone rather than visitors to clone based sites." – Claire Aird, [00:33] -
On supply-chain vigilance:
"The attacker compromised a developer on the project. Their personal account token was used to add code that was designed to steal credentials, API keys and crypto wallet data." – Claire Aird, [00:17] -
On AI skill threats:
"Malicious skills on the Clawhub portal reached 400 on Tuesday, up from 28 last week." – Claire Aird, [01:10] -
On law enforcement action:
"The French offices of social media network X have been raided by Europol and local authorities. The raids were part of a criminal investigation over child sexual abuse images and pornographic deepfakes." – Claire Aird, [02:37] -
On crypto platform hacks:
"Hackers have stolen almost $30 million worth of tokens from the Step Finance Defi platform. The company says the hackers used a well known attack vector to access its treasury wallets." – Claire Aird, [04:37]
Timestamps for Key Segments
- 00:04 – Plone CMS supply chain attack details
- 01:10 – OpenClaw AI skills surge, API token leak
- 02:11 – OpenVSX security announcement
- 02:36 – X office raid
- 03:24 – Notepad app APT breach
- 03:59 – Ransomware, crypto theft news
- 05:26 – WhatsApp moves to Rust
- 05:49 – Citrix scan campaign, CISA updates
- 06:46 – Globalman exit scam, Naish team update
- 07:20 – Meta ad scam report
Tone and Style
The episode maintains a brisk, factual tone—delivering cybersecurity developments with clarity and urgency. It’s densely packed with technical detail but accessible to security professionals and a wider tech-savvy audience.
For more in-depth stories and cybersecurity analysis, tune in to future Risky Bulletin episodes.
