WEEKLY TOP TEN: February 10, 2025, 16:00 GMT
- PyPI Now Supports Project Archival
PyPI has added a new feature allowing maintainers to mark projects as archived, signaling they won’t receive future updates or security fixes. This is particularly important for security, as abandoned packages are often targeted by attackers who take over and inject malicious code through unexpected updates.
While archived projects can still be installed and aren’t removed from PyPI, the warning banner helps developers identify when they need to find actively maintained alternatives. The feature is also safer than deletion, which can lead to ‘Revival Hijack’ attacks, where abandoned package names are maliciously reused. This is part of a larger initiative to improve project lifecycle management on PyPI, removing the guesswork around maintenance status that’s common in open-source projects. - NowSecure Uncovers Multiple Security and Privacy Flaws in DeepSeek iOS Mobile App
A security assessment of the DeepSeek iOS app has revealed critical vulnerabilities that put users at risk. The app sends unencrypted data over the internet, uses weak encryption with hardcoded keys, and stores sensitive information insecurely on devices. Most concerning is that user data, including AI prompts and device information, is sent to ByteDance servers in China.
While this type of data collection isn’t unique, the combination of poor security practices and Chinese data governance has led many organizations to ban the app. NowSecure recommends companies immediately remove DeepSeek from both managed and personal devices. If you have a locally hosted version of the LLM, it is safe to use, but that is rarely the case on phones. - Stealers on the Rise: A Closer Look at a Growing macOS Threat
Mac-focused infostealers have doubled in the last two quarters of 2024, with Poseidon, Atomic, and Cthulhu being the most prevalent threats. These malware families typically spread through fake app installers and malicious ads, using AppleScript to trick users into granting permissions. Once installed, they steal sensitive data, including browser passwords, crypto wallets, and keychain credentials.
What makes these threats particularly dangerous is their ability to bypass security by appearing as legitimate system prompts. This allows attackers to steal personal and enterprise data, which can lead to further compromises. - Hackers Exploit Cityworks RCE Bug to Breach Microsoft IIS Servers
A critical vulnerability in Trimble’s Cityworks software is being actively exploited by hackers to breach Microsoft IIS servers. The flaw (CVE-2025-0994) allows authenticated users to execute remote commands, with attackers using it to deploy Cobalt Strike beacons for network access.
The vulnerability affects versions before 15.8.9 and 23.10, mainly impacting local governments and utilities that use the GIS-based management software. While cloud instances will be automatically updated, on-premise deployments; specifically those running with overprivileged IIS permissions, need immediate patching. - HTTP Client Tools Exploitation for Account Takeover Attacks
Account takeover attempts using HTTP clients have targeted 78% of Microsoft 365 tenants in 2024. While most brute force attacks have low success rates, a recent campaign using the Axios client successfully compromised 43% of targeted accounts by combining precision targeting with AitM techniques to bypass MFA.
Another notable campaign used Node Fetch to launch over 13 million login attempts, primarily targeting educational institutions. The shift in HTTP clients from OkHttp to newer tools like Axios and Go Resty shows threat actors are constantly evolving their tactics to improve success rates and avoid detection. - OPA Gatekeeper Bypass Reveals Risks in Kubernetes Policy Engines
Researchers at AquaSec have discovered ways to bypass OPA Gatekeeper’s k8sallowedrepos policy, which restricts which container registries can be used in Kubernetes clusters. The bypass occurs when administrators forget to add trailing slashes to allowed registry domains—for example, allowing “myregistry[.]com” instead of “myregistry[.]com/” lets attackers use domains like “myregistry[.]com[.]attacker[.]com”.
This issue affects similar tools like Kyverno and is particularly concerning since significant cloud providers like GCP and Azure rely on these policies for Kubernetes security. The researchers recommend permanently terminating domain names with slashes and being careful with functions that match string prefixes or suffixes. - Netgear Patches Critical Vulnerabilities in Some WiFi Routers
Two critical vulnerabilities have been found in several Netgear WiFi router models. The first flaw allows for remote code execution while the second enables authentication bypass, both requiring minimal effort to exploit. The vulnerability IDs suggest these flaws may have existed since 2021 and 2023 before being patched.
Netgear routers have historically been targeted for botnet operations, including by Chinese state actor Volt Typhoon in 2024. This makes these vulnerabilities particularly concerning, as compromised routers are often used for DDoS attacks, spam campaigns, and cyber espionage. Users of affected models should update their firmware immediately. - Critical RCE Bug in Microsoft Outlook Now Exploited in Attacks
A critical vulnerability in Microsoft Outlook (CVE-2024-21413) is being actively exploited in the wild. The flaw lets attackers execute code remotely by bypassing Outlook’s Protected View through malicious links using the file:// protocol and an exclamation mark in the URL.
Even previewing a malicious email can trigger the exploit, which can lead to credential theft and code execution. CISA has given federal agencies until February 27th to patch their systems and strongly recommends private organizations do the same since this vulnerability is being actively targeted. - Persistent Threats from the Kimsuky Group Using RDP Wrapper
The Kimsuky threat group continues to target Korean users through spear-phishing attacks using malicious LNK files disguised as Office documents. When executed, these files deploy multiple tools, including PebbleDash backdoor, a custom RDP Wrapper, proxy tools, and keyloggers.
In 2024, the group’s tactics have evolved, focusing more on remote control tools rather than traditional backdoors. They’ve also developed new methods to steal browser credentials by extracting encryption keys and using NTFS parsing to bypass security products. The attacks show careful targeting, with malicious files often named after specific individuals or companies. - US Health System Notifies 882,000 Patients of August 2023 Breach
Hospital Sisters Health System (HSHS) has disclosed that an August 2023 cyberattack exposed the personal and health information of over 882,000 patients. The attackers accessed HSHS’s network between August 16 and 27, causing widespread system outages across its Illinois and Wisconsin hospitals.
While the incident resembles ransomware, no group has claimed responsibility. The stolen data includes names, addresses, social security numbers, and medical information. This breach follows other major healthcare incidents, including UnitedHealth’s Change Healthcare attack, which impacted 190 million Americans.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: