Podcasts
CyberWire Daily
Ep 2361
The CyberWire Daily Podcast 7.31.25
Ep 2361 | 7.31.25

Open source, open target.

Show Notes
Transcript

A sweeping malware campaign by North Korea’s Lazarus Group targets open source ecosystems. President Trump announces a new electronic health records system. A new report reveals deep ties between Chinese state-sponsored hackers and Chinese tech companies. Researchers describe a new prompt injection threat targeting LLMs via browser extensions. Palo Alto Networks’ Unit 42 proposes a new Attribution Framework. Honeywell patches six vulnerabilities in its Experion Process Knowledge System. Researchers track the rapid evolution of a sophisticated Android banking trojan. Scattered Spider goes quiet following recent arrests. Our guests are Jermaine Roebuck and Ann Galchutt [GAL-shoot] from CISA, discussing "Open-Source Eviction Strategies Tool for Cyber Incident Response." A Polish trainmaker sues hackers for fixing trains.

Today is Thursday July 31st 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A sweeping malware campaign by North Korea’s Lazarus Group targets open source ecosystems. 

Sonatype has uncovered a sweeping malware campaign by North Korea’s Lazarus Group, targeting open source ecosystems like npm and PyPI. From January to July 2025, Sonatype blocked 234 malicious packages disguised as developer tools. These were actually espionage tools designed to steal data, profile systems, and install persistent backdoors. Over 36,000 systems may be affected.

Lazarus, known for high-profile hacks like Sony Pictures and WannaCry, is shifting from disruption to infiltration, using tailored malware and exploiting weaknesses in open source practices. Developers often install packages without vetting them, making CI/CD pipelines and developer environments prime targets.

The campaign is a wake-up call: open source is now a key cyber battleground. Securing the software supply chain is no longer optional — it’s essential.

President Trump announces a new electronic health records system. 

President Trump announced a new electronic health records system aimed at simplifying how Americans share medical data with providers. Backed by tech giants like Google, Apple, Amazon, and OpenAI, the system is opt-in and overseen by the Centers for Medicare and Medicaid Services. It includes AI tools to help users manage symptoms and navigate care, particularly for conditions like diabetes and obesity.

Trump emphasized privacy, saying there would be no centralized government database. However, experts raised concerns about data protection and the lack of clarity around privacy standards, especially with third-party apps not covered by HIPAA. Critics also noted that much of the proposed system already exists and that similar past efforts have struggled. The initiative aims to cut paperwork and enhance health data access, but major regulatory hurdles remain.

A new report reveals deep ties between Chinese state-sponsored hackers and Chinese tech companies. 

A new report from SentinelLabs reveals deep ties between Chinese state-sponsored hackers and Chinese tech companies developing offensive cyber tools. The group Silk Typhoon (also known as Hafnium), linked to attacks on U.S. government entities and global IT infrastructure, is connected to firms like iSoon, Shanghai Firetech, and others. These companies allegedly work with China’s Ministry of State Security (MSS) and regional bureaus like the Shanghai State Security Bureau (SSSB).

The report suggests these firms may have helped exploit Microsoft Exchange zero-days in 2021. SentinelLabs highlights that these companies hold patents for tools aiding espionage, forensics, and even HUMINT operations. The scale of the collaboration blurs the line between private sector and state cyber ops, complicating attribution and showing China’s expanding cyber capability through quasi-corporate fronts.

Researchers describe a new prompt injection threat targeting LLMs via browser extensions. 

Researchers at LayerX have discovered a new prompt injection threat targeting LLMs via browser extensions—tools used by 99% of enterprise users. These extensions can silently read, modify, and inject prompts into AI tools like ChatGPT, Gemini, and internal LLMs, without needing special permissions. Once compromised, an extension can exfiltrate data, delete its activity, and avoid detection.

This exploit, dubbed “Man-in-the-Prompt,” stems from how AI prompts are handled in the browser’s Document Object Model. Internal LLMs are particularly vulnerable due to their access to sensitive corporate data. Traditional security tools can’t detect these interactions, making it a serious blind spot.

Proof-of-concept attacks on ChatGPT and Gemini show that even minimal extensions can leak IP, financial data, and PII. To mitigate, enterprises must shift to behavior-based browser monitoring and restrict risky extensions in real-time.

Palo Alto Networks’ Unit 42 proposes a new Attribution Framework. 

Palo Alto Networks’ Unit 42 has proposed a new Attribution Framework, a structured method for attributing cyber threat activity. Working from the notion that traditional attribution relied too heavily on individual analysts and lacked consistency, this new framework, inspired by the Diamond Model and Admiralty System, applies systematic scoring for source reliability and information credibility. Analysts track threats through three stages: activity clusters, temporary threat groups, and named threat actors. Clusters are formed by linking related incidents, even without knowing the actor’s identity. With enough consistent data over time, these clusters may evolve into temporary groups or fully attributed threat actors. The framework evaluates data across tactics, tooling, infrastructure, targeting, and timelines, ensuring accuracy and transparency. It emphasizes ongoing reassessment, evidence-based confidence scoring, and rigorous review processes. By formalizing attribution, Unit 42 aims to reduce confusion in threat naming and elevate the professionalism and effectiveness of threat intelligence across the industry.

Honeywell patches six vulnerabilities in its Experion Process Knowledge System. 

Honeywell has patched six vulnerabilities in its Experion Process Knowledge System (PKS), used in critical infrastructure sectors globally. CISA flagged the issues, including critical flaws enabling remote code execution via the Control Data Access (CDA) component and high-severity vulnerabilities allowing denial-of-service (DoS) attacks. One medium-severity bug could disrupt communication and system behavior. Russian firm Positive Technologies reported the flaws, which affect isolated industrial systems. Honeywell urges users to apply updates, while researchers recommend robust vulnerability management for protection.

Researchers track the rapid evolution of a sophisticated Android banking trojan. 

Zimperium’s zLabs has tracked the rapid evolution of a sophisticated Android banking trojan. Initially spread via phishing sites mimicking European banks, the malware now hides in bogus websites shared on Discord. Its capabilities have grown from basic overlays and keylogging to advanced features like screen capture, fake lock screens, and real-time data exfiltration. The malware abuses Android’s Accessibility Services, disguises itself with trusted icons, and employs session-based installation to bypass user suspicion. It logs keystrokes, monitors app usage, blocks specific apps with fake system messages, and overlays fake login screens to steal sensitive data. Screen content is captured using MediaProjection APIs, encoded, and silently transmitted to a command and control server. Researchers have identified multiple samples and emphasize that this malware can compromise passwords, OTPs, crypto wallets, and other critical information. The campaign highlights growing threats in mobile malware and the importance of app permission scrutiny and robust mobile threat defenses.

Scattered Spider goes quiet following recent arrests. 

Scattered Spider, a cybercriminal group linked to The Com, has gone quiet following the July 10 arrest of four UK-based suspects tied to cyberattacks on British retailers. Though these individuals aren’t the group’s only members, their arrests appear to have spooked others, halting new activity from the group, according to Mandiant. While suspected attacks on airlines like Hawaiian and WestJet followed, no direct link to Scattered Spider has been confirmed. Experts warn the group is likely just lying low. Meanwhile, other The Com-affiliated actors, such as ShinyHunters (UNC6040), continue using similar social engineering tactics. ShinyHunters has been linked to recent data breaches at Qantas Airlines and Allianz Life, where attackers exploited CRM systems and impersonated IT staff to steal data. The threat from such groups persists, even if one goes dormant.

A Polish trainmaker sues hackers for fixing trains. 

Remember when hackers fixed Polish trains in 2023 by removing anti-repair booby traps? Well, the manufacturer, Newag, is back—and now it’s suing. Yes, really. After locking up three more trains last month and briefly refusing to unlock them, Newag filed lawsuits worth over $3 million against both the repair shop (SPS) and ethical hackers from Dragon Sector. Their crime? Making trains work again.

The backstory reads like a dystopian tech comedy: software that disables trains if they linger too long or—gasp—visit a rival repair shop. One version even bricked a train near a totally innocent train station. When confronted, Newag claimed hackers planted the code. Then claimed the same hackers didn’t actually change anything. And then claimed both, in court.

Why? Possibly to keep a tight (and profitable) grip on Poland’s $40M train repair market. As it stands, this legal circus might be less about safety and more about squashing the right to repair—by rail.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.