The Grok that broke the camel’s back.
A DOGE employee leaks private API keys to GitHub. North Korea’s “Contagious Interview” campaign has a new malware loader. A New Jersey diagnostic lab suffers a ransomware attack. A top-grossing dark web marketplace goes dark in what experts believe is an exit scam. MITRE launches a cybersecurity framework to address threats in cryptocurrency and digital financial systems. Experts fear steep budget cuts and layoffs under the Trump administration may undermine cybersecurity information sharing. A Maryland IT contractor settles federal allegations of cyber fraud. Kim Jones and Ethan Cook reflect on CISO perspectives. A crypto hacker goes hero and gets a hefty reward.
Today is Tuesday July 15th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
A DOGE employee leaks private API keys to GitHub.
Marko Elez, a 25-year-old employee at Department of Government Efficiency (DOGE), accidentally leaked a private API key to xAI’s language models by posting it on GitHub. This key granted access to 52 LLMs, including xAI’s latest, Grok-4. GitGuardian flagged the breach, but the key remains active. According to Krebs On Security, Elez, who has access to multiple sensitive government databases, has a history of security violations and controversial behavior, including past unencrypted data transmissions. Despite this, he was reinstated after lobbying from Vice President J.D. Vance and has continued moving through federal agencies. This marks the second such xAI leak by a DOGE employee, raising serious concerns about systemic security failures and poor oversight within DOGE.
North Korea’s “Contagious Interview” campaign has a new malware loader.
North Korean threat actors behind the “Contagious Interview” campaign have escalated their efforts with a new malware loader called XORIndex, Socket researchers report. Downloaded over 9,000 times since June 2025, XORIndex targets developers, job seekers, and crypto holders. It’s embedded in 28 malicious npm packages, used to gather host data and deploy BeaverTail, which steals crypto wallet data. Some packages also deploy HexEval, an earlier malware loader with 8,000+ downloads. In total, 67 malicious npm packages tied to the campaign have been downloaded more than 17,000 times, with 27 still active. The campaign, linked to North Korea’s Lazarus Group, uses fake job offers and tools to trick users into installing malware. Socket has requested takedowns and account suspensions, warning of ongoing loader reuse and evolving obfuscation tactics.
A New Jersey diagnostic lab suffers a ransomware attack.
Avantic Medical Lab, a New Jersey-based diagnostic lab, suffered a ransomware attack and data breach by the Everest group. On July 3, 2025, 31 GB of sensitive patient data was leaked after the lab failed to engage with the attackers. The breach, first signaled on June 10, exposed data from 2018–2023, including medical records, Social Security numbers, insurance details, and credit card information. Avantic has not yet notified patients. Those possibly affected should monitor accounts and consider credit protection steps.
A top-grossing dark web marketplace goes dark in what experts believe is an exit scam.
Abacus Market, once the top-grossing dark web marketplace in the West, has gone offline in what experts believe is an exit scam. Users began reporting withdrawal issues in late June 2025, a common sign of admins disappearing with user funds. Though site admin “Vitro” blamed DDoS attacks and a surge of users from the shuttered Archetyp marketplace, skepticism remained. TRM Labs suggests Vitro likely exited to avoid law enforcement, especially after Archetyp’s takedown. Abacus had been operating for four years, selling drugs, cybercrime tools, and counterfeit goods, with revenue surging 183% in 2024. Experts say law enforcement now focuses more on arresting vendors than shutting down marketplaces, as vendor arrests have a broader and longer-lasting impact across the dark web ecosystem.
MITRE launches a cybersecurity framework to address threats in cryptocurrency and digital financial systems.
MITRE has launched AADAPT, a cybersecurity framework to address threats in cryptocurrency and digital financial systems. Modeled after MITRE ATT&CK, AADAPT helps developers, financial institutions, and policymakers identify and counter risks like phishing, ransomware, and double-spending. Built from input by over 150 experts, it maps real-world adversary tactics targeting digital assets. AADAPT offers tools for threat emulation, detection, and security assessments. It aims to support organizations, especially those with limited resources, in securing digital payment technologies and building trust in this evolving sector.
Experts fear steep budget cuts and layoffs under the Trump administration may undermine cybersecurity information sharing.
Cybersecurity experts warn that steep budget cuts and layoffs under the Trump administration have severely undermined federal cybersecurity and information sharing, BankInfoSecurity reports. Nearly one-third of the Cybersecurity and Infrastructure Security Agency (CISA) workforce has been cut, and key threat-sharing programs have been defunded. This has led to a sharp drop in public-private collaboration, leaving critical infrastructure more vulnerable to attacks. Programs like the National Vulnerability Database (NVD) and Common Vulnerabilities and Exposures (CVE) are facing backlogs and funding threats, raising global concerns about vulnerability management. Experts say political pressure has silenced federal cyber teams, stalled proactive responses, and fractured communication with the private sector. With major layoffs at agencies like the State Department and the possible expiration of key cybersecurity laws, many fear U.S. cyber defenses are weakening at a critical time.
Meanwhile, The UK’s National Cyber Security Centre (NCSC) has launched the Vulnerability Research Initiative (VRI) to collaborate with external cybersecurity researchers. The initiative aims to enhance the UK’s ability to identify and address software and hardware vulnerabilities by partnering with skilled experts. Researchers will assess targeted products, test mitigations, and disclose findings via the NCSC’s Equities Process. The VRI complements NCSC’s internal efforts and will help build a best-practice framework for vulnerability research, including in emerging areas like AI-powered discovery.
A Maryland IT contractor settles federal allegations of cyber fraud.
Maryland-based IT contractor Hill Associates has agreed to pay $14.75 million to settle allegations of contract violations with federal agencies. The company was accused of billing for underqualified personnel, unauthorized cybersecurity services, unapproved fees, and inflated overhead costs. These actions allegedly breached contracts with the Department of Justice and Treasury between 2018 and 2023. The settlement, brought under the False Claims Act, includes an additional payment of 2.5% of Hill’s annual revenue over $18.8 million through 2030. The Department of Justice emphasized accountability for IT contractors who fail to meet cybersecurity and billing standards. Hill Associates did not admit liability and has not publicly responded. This is the latest in a series of False Claims Act settlements involving contractors accused of cybersecurity-related fraud.
Stick around after the break as Kim Jones, host of CISO Perspectives, sits down with N2K’s Ethan Cook to reflect on standout moments from the season in this special finale conversation.
Kim Jones, host of CISO Perspectives, and Ethan Cook, N2K analyst recently sat down to reflect on highlights from this season of CISO Perspectives. They revisit key moments, discuss recurring themes like the cybersecurity workforce gap, and get Ethan’s outsider take on the conversations. Here’s their conversation.
That was Kim Jones, host of CISO Perspectives, in conversation with N2K’s Ethan Cook. If you enjoyed their discussion and want full access to the entire season and their full conversation, become a Pro member to unlock every episode.
A crypto hacker goes hero and gets a hefty reward.
In the crypto world’s latest twist of irony, a hacker who nabbed $42 million from GMX’s Arbitrum-based liquidity pool has decided to turn white hat, returning the loot in exchange for a $5 million “thank-you” bounty. The re-entrancy attack, a classic smart contract exploit, allowed the attacker to siphon funds before the system caught up. But rather than vanish into digital obscurity, the hacker opted for the Robin Hood-meets-Venmo route: keep a cut, send the rest back. GMX now has the funds secured in its multisig wallet and is crafting a plan for redistribution. Meanwhile, GMX’s token surged over 18%, because apparently, there’s nothing like a good old-fashioned heist-turned-refund to rally the market.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
And that’s the CyberWire Daily, brought to you by N2K CyberWire.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry. Learn how at n2k.com.
We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.
N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
