A reel disaster for GitHub.

A phishing campaign targets nearly 12,000 GitHub repositories. The BlackLock ransomware group is one to watch. A federal judge orders reinstatement of workers at CISA. Over 100 car dealership websites suffer a supply chain attack, and Hellcat breaches Jaguar Land Rover. Researchers uncover a major vulnerability affecting RSA encryption keys. A Life Insurance Company notifies 355,500 individuals of a December 2024 data breach. A researcher releases a decryptor for Akira ransomware. A new mapping database aims to help NGOs and high-risk individuals find security tools. Tim Starks from CyberScoop joins me with news that trade groups worry over renewal of vital cyber law. A fundamental shift of our understanding of hash tables. 

Today is Monday March 17th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A phishing campaign targets nearly 12,000 GitHub repositories. 

A phishing campaign has targeted nearly 12,000 GitHub repositories with fake “Security Alert” issues, tricking developers into authorizing a malicious OAuth app called “gitsecurityapp.” The fake alerts claim suspicious activity was detected from Reykjavik, Iceland, urging users to update passwords and enable two-factor authentication. However, all links lead to an OAuth authorization page that grants attackers full access to repositories, user profiles, discussions, and workflows. The attack, first spotted by researcher Luc4m, is ongoing, though GitHub appears to be responding. Users who mistakenly authorized the app should revoke access in GitHub settings, check for unexpected GitHub Actions, and rotate credentials. The malicious campaign directs stolen credentials to sites hosted on Render. Developers should remain vigilant against such phishing attempts.

The BlackLock ransomware group is one to watch. 

The BlackLock ransomware group has attacked over 40 organizations in early 2025, making it one of the most active ransomware-as-a-service (RaaS) operators. Targeting construction, real estate, IT service providers, and government agencies, the group employs fast encryption and leak sites for extortion. Using Golang for cross-platform attacks, BlackLock leverages ChaCha20 and RSA-OAEP encryption. Emerging from the rebranded Eldorado group, it recruits key p[layers known as traffers to aid attacks. Organizations must enhance cybersecurity measures to combat this growing ransomware threat.

A federal judge orders reinstatement of workers at CISA. 

A U.S. federal judge temporarily blocked the Trump administration’s effort to fire thousands of federal employees, including over 400 from the Department of Homeland Security (DHS) and 130 from the Cybersecurity and Infrastructure Security Agency (CISA). Judge James Bredar ordered reinstatement by March 17, pending a lawsuit by 20 state attorneys general. Concerns over cybersecurity and national security have emerged, with experts warning that mass layoffs weaken defenses. The White House called the rulings judicial overreach. DHS contractors, like penetration tester Christopher Chenoweth, reported terminations affecting red team operations. CISA denied laying off its red team, stating contract changes were made for efficiency. The Office of Personnel Management (OPM) and the Department of Government Efficiency (DOGE) have not commented on the firings.

Over 100 car dealership websites suffer a supply chain attack, and Hellcat breaches Jaguar Land Rover. 

Over 100 car dealership websites were compromised in a supply chain attack after threat actors infected LES Automotive, a shared video service. The attackers deployed the ClickFix technique, tricking users into executing malicious commands via fake reCAPTCHA prompts. This method, increasingly used by cybercriminals, has spread information stealers and malware. Security researcher Randy McEoin found the attack distributing SectopRAT via PowerShell. The injected JavaScript contained Russian comments, suggesting dynamic script manipulation. Microsoft recently warned of similar attacks in hospitality.

Elsewhere in the automotive world, the HELLCAT ransomware group breached Jaguar Land Rover (JLR) using stolen Atlassian Jira credentials, exposing 700 internal documents and employee data on hacking forums. Threat actor “Rey” claimed responsibility, while another hacker, “APTS,” leaked an additional 350GB of sensitive data. The stolen information includes development logs, tracking data, and proprietary source code, raising concerns over intellectual property theft and potential targeted attacks. HELLCAT, known for exploiting Jira vulnerabilities, has previously targeted Telefonica and Schneider Electric. Experts urge organizations to enforce multi-factor authentication and credential rotation to prevent similar breaches.

Researchers uncover a major vulnerability affecting RSA encryption keys. 

Security researchers have uncovered a major vulnerability affecting RSA encryption keys, with approximately 1 in 172 online certificates susceptible to compromise due to poor random number generation. Keyfactor Security analyzed over 75 million RSA certificates, finding 435,000 vulnerable due to shared prime factors, allowing attackers to break encryption using simple Greatest Common Divisor (GCD) calculations. IoT devices are particularly at risk, with 50% of compromised keys linked to a major network equipment manufacturer. Despite prior warnings, many devices still use weak RSA keys, posing threats to critical systems like medical equipment and industrial controls. Researchers urge manufacturers to improve entropy sources and follow cryptographic best practices to mitigate risks. 

A Life Insurance Company notifies 355,500 individuals of a December 2024 data breach. 

New Era Life Insurance Companies is notifying 355,500 individuals of a December 2024 data breach, the largest health data breach reported by a health plan this year. The Texas-based insurer discovered unauthorized access between Dec. 9-18, during which sensitive personal and health data—including names, insurance IDs, and medical details—was copied. Some Social Security numbers were also compromised. The company is offering free credit monitoring and enhancing security measures. Several law firms are investigating potential class-action lawsuits.

A researcher releases a decryptor for Akira ransomware. 

Security researcher Yohanes Nugroho released a decryptor for the Linux variant of Akira ransomware, leveraging GPUs to brute-force encryption keys. Akira generates keys using timestamp-based seeds, making decryption difficult but not impossible. Nugroho used cloud-based RTX 4090 GPUs to crack the keys in about 10 hours. His tool, available on GitHub, allows free file recovery, though its effectiveness may vary. Users are advised to back up encrypted files before attempting decryption, as errors could cause data corruption.

A new  mapping database aims to help NGOs and high-risk individuals find security tools. 

A global non-profit named Common Good Cyber has launched a mapping database to help NGOs and high-risk individuals find security tools. The database, featuring 334 public-interest security services, is categorized into six groups: Govern, Identify, Protect, Detect, Respond, and Recover. Supported by the UK FCDO and the EU Institute for Security Studies, the initiative aims to improve cybersecurity for over 10 million NGOs worldwide. Cyber threats against non-profits are rising, with 32% of charities reporting incidents in 2024. Past attacks include breaches at Freecycle and Maternal & Family Health Services. Common Good Cyber, founded by the Global Cyber Alliance, stresses that cybersecurity should be accessible to all. The UK’s NCSC has also issued guidance for charities, emphasizing the sector’s vulnerability to digital threats.

 

 

A fundamental shift of our understanding of hash tables. 

And finally, hash tables are one of the most fundamental data structures in computing, allowing for fast storage and retrieval of information. They play a critical role in cybersecurity, enabling efficient database lookups, cryptographic functions, and even firewall operations. Their efficiency hinges on how quickly they can insert, locate, or delete data—something researchers have studied for decades.

In 2021, Andrew Krapivin, then an undergraduate at Rutgers University, stumbled upon a paper about “Tiny Pointers.” He didn’t think much of it at the time. But two years later, as he explored ways to make pointers more memory-efficient, he unexpectedly discovered a new kind of hash table—one that shattered long-held assumptions in computer science.

Without realizing it, Krapivin had disproved a 40-year-old conjecture by Turing Award winner Andrew Yao, which stated that the worst-case time to insert or search for an item in a nearly full hash table could never be faster than x, where x represents how close the table is to 100% full. Krapivin’s new hash table, however, achieved a time complexity of (log x)²—an exponential improvement.

Skeptical at first, his former professor, Martín Farach-Colton, brought in William Kuszmaul from Carnegie Mellon University to validate the discovery. They confirmed that not only had Krapivin refuted Yao’s conjecture, but he had also uncovered an even more surprising result: some hash tables can achieve constant-time search, regardless of how full they are. This contradicted another of Yao’s long-standing assumptions.

Krapivin, now at the University of Cambridge, along with Farach-Colton and Kuszmaul, published their findings in January 2025. While practical applications remain to be seen, their work fundamentally changes how computer scientists understand hash tables—one of the most essential tools in cybersecurity and data storage.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.