The CyberWire Daily Podcast 6.27.24
Ep 2097 | 6.27.24

E-commerce or E-spying?


Arkansas sues Temu over privacy issues. Polyfil returns and says they were wronged. An NYPD database was found vulnerable to manipulation. Google slays the DRAGONBRIDGE. Malwarebytes flags a new Mac stealer campaign. Patch your gas chromatographs. Microsoft warns of an AI jailbreak called Skeleton Key. CISA tracks exploited vulnerabilities in GeoServer, the Linux kernel, and Roundcube Webmail.  In our  'Threat Vector' segment, host David Moulton speaks with Jim Foote, CEO of First Ascent Biomedical, about his transition from Chief Information Security Officer (CISO) to leading a biotech company utilizing AI to personalize cancer treatments. Metallica is not hawking metal crypto. 

Today is Thursday June 27th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Arkansas sues Temu over privacy issues. 

Arkansas Attorney General Tim Griffin has filed a lawsuit against e-commerce app Temu, alleging it violates state law by engaging in deceptive trade practices. Griffin claims Temu, which is the top free shopping app on the Apple App Store and Google Play Store, operates as malware, accessing nearly all data on users' phones. The lawsuit connects these allegations to past concerns with Pinduoduo, another app by Temu's owner PDD Holdings, which faced security issues on the Google Play Store in 2023. The suit argues Temu collects excessive data, including sensitive information, and misleads users about its permissions. Temu, Google, and Apple have yet to respond.

Polyfil returns and says they were wronged. 

Following up on a story we covered yesterday: The owners of have relaunched the JavaScript CDN service on a new domain after was shut down for delivering malicious code to over 100,000 websites. They claim the service was "maliciously defamed" and deny any supply chain risks, stating their services are cached by Cloudflare. Despite relaunching on, security experts advise against using the service due to previous issues. Sansec researchers identified the attack and Cloudflare confirmed unauthorized use of its branding. Google has warned advertisers about the malicious code. Developers are advised to seek alternatives from Cloudflare and Fastly.

An NYPD database was vulnerable to manipulation. 

A public database tracking NYPD officer profiles had security flaws that allowed potential data manipulation and malicious file insertion. Launched after 2020 police reforms, the database includes disciplinary records and other officer information. Independent researcher Jason Parker discovered these vulnerabilities and reported them. The NYPD has since secured the system, blocking access to the exploit points. Developed by RockDaisy, the database faced criticism for its security lapses. Despite claims of resolution, experts advise caution. The NYPD has not clarified if the database is used internally. 

Google slays the DRAGONBRIDGE.

Google's Threat Analysis Group (TAG) has published insights on DRAGONBRIDGE, a spammy influence network linked to the PRC known as "Spamouflage Dragon." Despite prolific content production, DRAGONBRIDGE gets minimal engagement on YouTube and Blogger. Most content is low quality and non-political, but some supports pro-PRC views on various current events, including the Taiwan elections and the Israel-Hamas war. In 2023, Google disrupted over 65,000 instances of DRAGONBRIDGE activity, and over 10,000 in early 2024, totaling over 175,000 disruptions. Despite efforts, their content sees practically no organic engagement, with interactions mostly from inauthentic accounts. DRAGONBRIDGE continues to adapt, using generative AI tools and focusing on US political and social issues.

Malwarebytes flags a new Mac stealer campaign. 

On June 24, a new campaign was detected targeting Mac users with a stealer via malicious Google ads for the Arc browser. This marks the second recent use of Arc as a lure. The macOS stealer, dubbed "Poseidon," is an evolved version of OSX.RodStealer by threat actor Rodrigo4, adding features like VPN configuration theft. The campaign uses fake ads and websites to distribute the malware. The stealer collects various sensitive data, including files and crypto wallet information. Malwarebytes has flagged this campaign and recommends using web protection tools to block ads and malicious sites.

Patch your gas chromatographs. 

Security firm Claroty revealed several vulnerabilities in gas chromatograph devices manufactured by Emerson. The units are critical for chemical analysis in hospitals and environmental facilities. Vulnerabilities include a critical command injection allowing unauthenticated remote command execution with root privileges and a high-severity issue enabling admin access. Medium-severity issues could lead to sensitive information disclosure or DoS conditions. Claroty warns that compromising these devices could severely impact industries like food processing and healthcare. Emerson and CISA have advised on firmware updates and best practices to mitigate these risks.

Microsoft warns of an AI jailbreak called Skeleton Key.  

Microsoft has issued a warning about a new AI jailbreak attack called Skeleton Key. This attack allows generative AI models to bypass their safeguards and produce harmful or unsanctioned content. Skeleton Key works by altering the model's behavior guidelines, prompting it to issue warnings rather than refuse harmful requests. It affects various AI models, including those by Meta, Google, and OpenAI. Microsoft has shared these findings with other AI providers and updated its Azure AI models to detect and block such attacks using Prompt Shields. They recommend filtering inputs and outputs, monitoring for abuse, and updating algorithms to prevent inappropriate prompts. Security experts warn that continuous vigilance and information sharing are crucial to countering these evolving threats.

CISA tracks exploited vulnerabilities in GeoServer, the Linux kernel, and Roundcube Webmail. 

CISA has warned about threat actors exploiting vulnerabilities in GeoServer, the Linux kernel, and Roundcube Webmail. The GeoServer flaw (CVE-2022-24816, CVSS 9.8) is a code injection issue in the Jai-Ext project, patched in April 2022. The Linux kernel flaw (CVE-2022-2586, CVSS 7.8) is a use-after-free issue in nft tables, demonstrated at Pwn2Own Vancouver and patched in August 2022. The Roundcube Webmail flaw (CVE-2020-13965, CVSS 6.1) is a cross-site scripting vulnerability patched in June 2020. CISA added these vulnerabilities to its Known Exploited Vulnerabilities catalog, urging federal agencies to apply mitigations by July 17. All organizations using these products are advised to address these issues promptly.


Coming up on our biweekly Threat Vector segment, Palo Alto Unit 42’s David Moulton speaks with  Jim Foote, CEO of First Ascent Biomedical, about his transition from Chief Information Security Officer (CISO) to leading a biotech company utilizing AI to personalize cancer treatments. We’ll be right back

Welcome back. You can catch the full discussion David had with Jim on Threat Vector. There’s a link in our show notes. 


Metallica is not hawking metal crypto. 

And finally, Metallica's official X-Twitter account got hacked yesterday, and used to promote a Solana cryptocurrency token called METAL. The hackers claimed it was launched in cooperation with Ticketmaster and involved fintech firm MoonPay, which MoonPay’s president swiftly denied, humorously tweeting, “MoonPay does NOT support METAL.” He added, "If someone offers you a METAL token, they’re not the master of puppets—they’re the master of scams!” referencing Metallica's famous song.

Metallica’s team quickly regained control, deleting all related posts. The token briefly soared to $3.37 million in value but crashed to $90,000 within hours. The hack remains a mystery, leaving fans and followers scratching their heads.

Napster was unavailable for comment. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.



We’d love to know what you think of this podcast. You can email us at—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.