SecurityWeek’s weekly cybersecurity digest provides a brief roundup of significant events that may not get individual articles but are still important to understand current threats. This selection covers the most notable recent updates in vulnerabilities, attack techniques, policy changes, industry findings, and other developments to keep you informed about the shifting cybersecurity landscape.
Here are this week’s major stories:
Decade-old phpBB vulnerability allows account takeover
A serious authentication bypass has been found in phpBB versions up to 3.3.16 and 4.0.0-a2. Attackers can impersonate any user, including administrators, with just one unauthenticated HTTP request, gaining access to private messages, forum content, and full admin privileges. Users should update to version 3.3.17 or the latest master branch immediately. Although a fix was released quickly after being reported through HackerOne, many forums are still vulnerable.
Velvet Ant operated undetected for years in isolated critical infrastructure
A threat actor linked to China, known as Velvet Ant, infiltrated an organization’s air-gapped network around 2016. The group used internet-facing entry points, Nginx/FastCGI proxies, and modified PAM/OpenSSH components to steal credentials and maintain access. They deployed GS-Netcat variants, SOCKS5 proxies, and nine pam_unix.so backdoors across multiple systems. Cleaning up the compromise proved challenging.
MaXSS and Spyder flaws put 10 million Chrome users at risk
Serious vulnerabilities in SiderAI (Spyder) and MaxAI (MaXSS) Chrome extensions with side-panel AI features allow malicious websites to trigger unauthorized extension actions, such as capturing hidden tab screenshots, extracting AI memory data, and potentially accessing files. With over 10 million total installations and no response from the developers, these flaws could lead to complete browser session hijacking and account takeovers without any user action. Users should uninstall these extensions until patches are available.
AWS introduces Continuum
AWS has launched a new AI-driven tool to help organizations identify, prioritize, validate, and fix security vulnerabilities. Currently in limited preview, Continuum combines data from existing security tools and its own scans, ranking vulnerabilities based on how exploitable they are in the user’s specific environment.
Over 1.2 million WordPress sites hit in OptinMonster supply chain attack
Attackers injected harmful JavaScript into CDN scripts for Awesome Motive’s OptinMonster, TrustPulse, and PushEngage WordPress plugins. The malicious code targets logged-in administrators, creating fake admin accounts and installing a hidden backdoor plugin. The attack originated from a compromised UpdraftPlus instance and stolen CDN credentials. More than 1.2 million WordPress sites are believed to have been affected.
FTC reports imposter scams cost Americans $3.5 billion in 2025
According to the FTC, imposter scams remain the most frequent type of fraud, with losses nearly three times higher than in 2020. Scams impersonating banks and government agencies caused the most damage, typically using fake security warnings to trick victims into transferring money. Total fraud losses reached a record $16 billion. The FTC continues to enforce its Impersonation Rule and promote public education efforts.
US DOT concludes Delta CrowdStrike outage investigation without fines
The Department of Transportation has closed its investigation into Delta Air Lines’ slow recovery from the global CrowdStrike incident without imposing penalties. Investigators determined the airline provided sufficient refunds, baggage assistance, and accommodations for passengers with disabilities. This decision reflects the current administration’s move away from certain consumer protection enforcement priorities of the previous administration.
JetBrains Marketplace plugins steal AI API keys from developers
At least 15 malicious AI coding assistant plugins on the JetBrains Marketplace, published under different developer accounts, are stealing API keys for services like OpenAI and DeepSeek. Despite functioning as advertised, these plugins have been installed nearly 70,000 times and send stolen keys in plain text to an attacker-controlled server. The plugins also appear to resell stolen access to paying customers.
Apple updates Beats firmware to fix unauthorized microphone access
A firmware update (version 1B211) for Beats Studio Buds addresses CVE-2025-20701, which let nearby attackers eavesdrop through the microphone on unpaired devices searching for connections. The update installs automatically when paired with Apple devices. This is one of three Bluetooth security flaws disclosed last year that affect products from multiple major manufacturers.
Popa botnet connected to Israeli proxy service
Researchers have tied the large Popa Android TV box botnet, used for residential proxy traffic in ad fraud and web scraping, to NetNut, a service run by publicly traded Israeli company Alarum Technologies. An SDK reportedly converts compromised streaming devices into long-lasting proxies. The operation generates millions of IP addresses daily and raises concerns about local network security and data scraping connections. NetNut and Alarum have rejected the claims, calling them “demonstrably inaccurate assertions and flawed deductions rather than verified facts.”
GCP Config Connector flaw allows organization-wide admin takeover
A confused deputy vulnerability in Config Connector allows any Kubernetes namespace user to escalate privileges to GCP Organization Owner by submitting a malicious IAMPolicyMember. Google initially classified the issue as P1/S1 but later labeled it “working as intended” and did not patch it. The vulnerability impacts organizations using the service for organization-level management.
ShinyHunters leaks Knicks and MSG employee and customer data
Hackers have released Madison Square Garden data, including information on Knicks-related “talent” (players, coaches, celebrities) with risk assessments, addresses, and contact details, along with customer communications. The leak follows a breach on June 5. ShinyHunters continues its practice of public data releases to pressure victims.
Related: In Other News: Google Security Layoffs, AudiA6 Takedown, $400 Million Coupang Fine
Related: In Other News: Anthropic Maps AI Threats, Unpatched Comodo Flaw, Palantir Chief Eyed for CISA
