Jedai tricks, human risks.

An unsecured Chroma database exposes personal information of Canva Creators. A researcher brute-forces Google phone numbers. Five zero-day vulnerabilities in Salesforce Industry Cloud are uncovered. Librarian Ghouls target Russian organizations with stealthy malware. SAP releases multiple security patches including a critical fix for a NetWeaver bug. Sensata Technologies confirms the theft of sensitive personal data during an April ransomware attack.SentinelOne warns of targeted cyber-espionage attempts by China-linked threat actors. Skitnet gains traction amongst ransomware gangs. The UK’s NHS issues an urgent appeal for blood donors. On today’s Threat Vector, host David Moulton talks with Arjun Bhatnagar, CEO of Cloaked, about why protecting your digital privacy is more urgent than ever. The FBI’s Cyber Division welcomes a new leader. 

Today is Tuesday June 10th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

An unsecured Chroma database exposes personal information of Canva Creators. 

A data breach exposed personal information from 571 Canva Creators after a Russian AI firm, My Jedai, left a Chroma database unsecured. The database, used to train AI chatbots, included survey responses detailing creators’ professional and financial data, posing phishing and competitive risks. Discovered by UpGuard, the breach highlights vulnerabilities in the fast-growing AI supply chain, where tools like Chroma are deployed rapidly without mature security practices. My Jedai secured the data within 24 hours of notification. This marks the first known Chroma-related leak and underscores how the rush to adopt AI has outpaced safeguards, increasing the risk of misconfigurations and data exposure. 

A researcher brute-forces Google phone numbers. 

A white-hat hacker known as Brutecat uncovered a flaw in Google’s authentication process that exposed users’ phone numbers to brute-force attacks. The exploit required only an email address and used Google’s account recovery hints to deduce phone numbers, enabling potential SIM-swapping attacks. Brutecat bypassed protections using cloud services and Google Looker Studio, exploiting a non-JavaScript recovery form and leveraging IPv6 to sidestep IP-based rate limits. By automating the process, phone numbers could be cracked in seconds to minutes depending on the region. Despite the severity, Google awarded a modest $5,000 bounty, though they quickly patched the issue. The incident highlights the need for stronger safeguards in account recovery workflows and how overlooked legacy systems can create significant security risks.

 Five zero-day vulnerabilities in Salesforce Industry Cloud are uncovered. 

Security researchers at AppOmni uncovered five zero-day vulnerabilities and 15 serious misconfigurations in Salesforce Industry Cloud, potentially impacting tens of thousands of organizations. Salesforce Industry Cloud offers low-code tools tailored for sectors like healthcare, finance, and government, but its ease of use can lead to risky default settings. Three of the five flaws were fixed by Salesforce directly, while two require customer action. The remaining issues stem from common misconfiguration traps, often caused by non-technical users unknowingly applying insecure access settings. These missteps could lead to major data breaches, including exposure of sensitive health or financial data. AppOmni’s scans show these risks are widespread among Industry Cloud users, raising serious concerns about security in low-code enterprise platforms designed for speed and simplicity.

Librarian Ghouls target Russian organizations with stealthy malware. 

The Librarian Ghouls APT group—also known as “Rare Werewolf” or “Rezet”—has been actively targeting Russian and CIS organizations through a stealthy and persistent malware campaign extending into May 2025. This group leverages legitimate third-party software, PowerShell scripts, and phishing emails to avoid detection. Victims receive password-protected archives containing fake business documents, initiating a multi-stage attack that installs legitimate-looking tools like 4t Tray Minimizer to conceal activity. Once infected, systems are exploited for credential theft, data exfiltration, and cryptocurrency mining. Targets include industrial and educational institutions, suggesting an intent to steal intellectual property. The campaign uses scheduled tasks, AnyDesk for remote access, and disables security tools to ensure persistence. Hundreds have been affected, highlighting the group’s sophisticated social engineering and technical execution.

SAP releases multiple security patches including a critical fix for a NetWeaver bug. 

SAP released 14 security patches in its June 2025 Security Patch Day, including a critical fix for CVE-2025-42989—a NetWeaver bug rated 9.6 on the CVSS scale. The flaw allows privilege escalation through a missing authorization check in the RFC framework. Onapsis warns it could severely impact application integrity and availability. SAP also addressed five high-severity and multiple medium- and low-severity flaws affecting various components. No active exploitation has been reported, but immediate patching is strongly recommended.

Sensata Technologies confirms the theft of sensitive personal data during an April ransomware attack.

Sensata Technologies confirmed that hackers accessed and stole sensitive personal data during a ransomware attack that disrupted operations in April. The attackers had access from March 28 to April 6 and exfiltrated files containing names, Social Security numbers, financial and health data—likely belonging to employees. At least 362 Maine residents are affected. The Massachusetts-based firm, which supplies electrical components globally, hasn’t appeared on any known ransomware leak sites, and it remains unclear if a ransom was paid.

SentinelOne warns of targeted cyber-espionage attempts by China-linked threat actors. 

SentinelOne is calling for greater industry transparency after revealing targeted cyber-espionage attempts by China-linked threat actors, APT15 and APT41. The first campaign, “PurpleHaze,” involved reconnaissance on SentinelOne servers and attacks using Ivanti zero-day flaws and the GOREshell backdoor. A second operation, tied to APT41, aimed to infiltrate a SentinelOne supplier via ShadowPad malware in a suspected supply chain attack. These incidents highlight a growing trend: cybersecurity vendors are becoming direct targets. SentinelOne warns the industry to stay vigilant, citing a pattern of stealthy, long-term intrusions focused on high-value infrastructure.

Skitnet gains traction amongst ransomware gangs. 

Skitnet (aka Bossnet) has rapidly become a favored tool among ransomware gangs in 2025, notably Black Basta and Cactus. Marketed as a user-friendly post-exploitation toolkit, it gained traction following the takedown of major botnets like QakBot, filling a gap in the cybercrime ecosystem. Distributed via underground forums like RAMP, Skitnet’s Malware-as-a-Service model enables even low-skilled actors to launch advanced attacks. Technically sophisticated, it uses a Rust loader and ChaCha20-encrypted Nim payload to establish stealthy DNS-based reverse shells. Its persistence techniques include DLL hijacking, Startup shortcuts, and use of tools like AnyDesk and PowerShell. The malware also features anti-forensic measures, log wiping, and “living-off-the-land” tactics, making detection and attribution difficult. Skitnet’s rise underscores the growing industrialization of cybercrime and the need for proactive defense strategies.

The UK’s NHS issues an urgent appeal for blood donors. 

The UK’s NHS has issued an urgent appeal for 1 million blood donors as national blood supplies remain critically low, especially for O negative blood, following a 2023 ransomware attack on pathology provider Synnovis. The attack disrupted services, forcing hospitals to rely heavily on O-type blood, leading to a fragile supply. The NHS is particularly seeking O negative donors and those of Black heritage, crucial for treating conditions like sickle cell disease. Meanwhile, over 900,000 patients were impacted by the Synnovis breach, which exposed sensitive medical data, including cancer and STI records. Despite legal obligations to notify affected individuals, many remain uninformed. The NHS warns that without immediate donor support, the system risks entering a “Red Alert” state where demand exceeds supply, threatening patient care and public safety.

 

The FBI’s Cyber Division welcomes a new leader. 

The FBI’s Cyber Division is welcoming a new leader! Brett Leatherman, a longtime FBI veteran with deep cyber expertise, will step in as assistant director following Bryan Vorndran’s retirement. Leatherman brings more than 20 years of experience, from field offices to leading cyber operations, and recently served as deputy assistant director for cyber operations. In a LinkedIn post, he expressed gratitude for the opportunity to lead, pledging to disrupt cyber threats and support victims. Known for his collaborative, forward-looking approach, Leatherman aims to build on the FBI’s mission to make cybercrime unsustainable. He steps into big shoes — Vorndran helped modernize the FBI’s cyber strategy, taking bold steps to disrupt hacking groups and boost victim support. The cyber community will be watching closely as Leatherman carries the torch forward with fidelity, bravery and integrity. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.