Podcasts
CyberWire Daily
Ep 2467
The CyberWire Daily Podcast 1.13.26
Ep 2467 | 1.13.26

Source code in the wild aisle.

Show Notes
Transcript

Stolen Target source code looks real. CISA pulls the plug on Gogs. SAP rushes patches for critical flaws. A suspected Russian spy emerges in Sweden, while Cloudflare threatens to walk away from Italy. Researchers flag a Wi-Fi chipset bug, a long-running Magecart skimming campaign, and a surge in browser-in-the-browser phishing against Facebook users. Mandiant releases a new Salesforce defense tool, and NIST asks how to secure agentic AI before it secures itself. Our guests are Christine Blake and Madison Farabaugh from Inside the Media Minds. Plus, a Dutch court says seven years is still the going rate for a USB-powered cocaine plot.

Today is Tuesday January 13th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Stolen source code from Target appears to be authentic. 

Multiple current and former employees at Target have confirmed to BleepingComputer that source code and documentation recently shared by a threat actor appear to be authentic and tied to real internal systems. Employees recognized internal platform names, proprietary project identifiers, and elements of Target’s technology stack, including its customized CI/CD tooling. Shortly after BleepingComputer contacted the company about the alleged leak, Target implemented an accelerated security change, restricting access to its internal Git server to corporate networks or VPN only. The source of the leak remains unclear. A researcher at Hudson Rock reported a compromised Target employee workstation infected with infostealer malware in 2025, though no direct link to the leaked code has been confirmed. The threat actor claims the full dataset is roughly 860 gigabytes, raising concerns about potential exposure.

CISA orders federal agencies immediately stop using Gogs. 

The Cybersecurity and Infrastructure Security Agency has ordered federal agencies to immediately stop using or lock down Gogs after a high-severity vulnerability was added to its Known Exploited Vulnerabilities catalog. Gogs is an open source, self-hosted Git service used to manage source code repositories. The flaw, tracked as CVE-2025-8110, is a path traversal bug that allows authenticated users to overwrite arbitrary files, effectively enabling remote code execution. According to CISA, the vulnerability is actively exploited and poses significant risk across federal systems. The issue was identified by researchers at Wiz, who found hundreds of exposed Gogs servers already compromised. Gogs has not yet released a fix, forcing users to rely on mitigations like disabling registrations or restricting access behind VPNs. CISA warns that unprotected, internet-exposed instances remain at high risk.

SAP patches four critical vulnerabilities. 

SAP has released 17 security notes as part of its January 2026 Security Patch Day, including fixes for four critical vulnerabilities. The most severe is CVE-2026-0501, a SQL injection flaw in S/4HANA that could allow full system compromise. Another critical issue, CVE-2026-0500, enables remote code execution in Wily Introscope via malicious Java Web Start files. SAP also patched two additional critical code injection bugs in S/4HANA and Landscape Transformation components that could lead to operating system command execution. Researchers at Onapsis discovered and reported several of the flaws. Beyond the critical issues, SAP addressed multiple high-, medium-, and low-severity vulnerabilities across HANA, NetWeaver, Fiori, and other products. SAP customers are urged to apply patches promptly, as exposed SAP systems are high-value targets for attackers.

Swedish authorities detain a former IT consultant on suspicion of spying for Russian intelligence. 

Swedish authorities have detained a 33-year-old former IT consultant to the armed forces on suspicion of spying for Russian intelligence. Prosecutors say the alleged activity occurred during 2025, though it may date back to 2022. The suspect previously worked with Sweden’s military through an IT services firm and is listed as head of a small cybersecurity company. Officials have released few details, citing national security concerns. The case comes amid heightened scrutiny of suspected Russian espionage across Europe, as Sweden continues its support for Ukraine.

Cloudflare threatens to pull out of Italy over compliance fines.  

Cloudflare is threatening to scale back or exit operations in Italy after the country’s communications regulator, AGCOM, fined the company roughly €14 million for failing to comply with Italy’s anti-piracy “Piracy Shield” system. The fine equals about one percent of Cloudflare’s global revenue and exceeds what it earns in Italy. Piracy Shield allows rights holders to request rapid IP and DNS blocking of suspected pirate services, a process Cloudflare argues lacks judicial oversight and risks widespread collateral censorship. CEO Matthew Prince called the system incompatible with democratic values and said the company will appeal. He warned Cloudflare could withdraw free services, remove Italian servers, and halt support for the upcoming Milan-Cortina Winter Olympics if the dispute is not resolved.

Researchers discover a chipset-level vulnerability in WiFi. 

Researchers say a flaw in Broadcom wireless chipsets can let attackers repeatedly disable the 5 gigahertz Wi-Fi band on affected routers, regardless of security settings. Black Duck found that a single malformed wireless frame could knock all 5 GHz clients offline during testing on an ASUS router. The issue stems from a chipset-level vulnerability, not configuration errors, and does not require authentication. Broadcom has issued a patch, but researchers warn protocol-level flaws can bypass even strong encryption and enable follow-on attacks like rogue “evil twin” networks.

Mandiant shares an open source tool to help Salesforce administrators identify misconfigurations. 

Mandiant has released AuraInspector, an open source tool designed to help Salesforce administrators identify misconfigurations that could expose sensitive data. The tool focuses on access control issues in Salesforce Aura, the user interface framework behind Experience Cloud sites. While Aura itself is not inherently insecure, configuration mistakes can allow unauthenticated users to access records or abuse APIs to extract data. AuraInspector automates common abuse scenarios and provides remediation guidance, while operating in read-only mode. Mandiant says the tool is intended to help defenders secure legacy Aura deployments that remain widely used despite newer frameworks.

Researchers warn of a large-scale Magecart-style digital skimming campaign. 

Security researchers at Silent Push are warning about a large-scale Magecart-style digital skimming campaign that has operated largely undetected since 2022. The campaign uses malicious JavaScript to target checkout pages tied to major payment networks including Visa competitors such as American Express, Mastercard, Discover, JCB, Diners Club, and UnionPay, putting most credit card users at risk. The skimmers run client-side in victims’ browsers, making them difficult for site owners to detect. Silent Push traced the activity to infrastructure linked to a bulletproof hosting provider and found long-running infections across multiple sites. The attacks replace legitimate payment forms with convincing fakes, silently stealing card and personal data. Researchers urge stronger content security policies, access controls, and regular monitoring to reduce exposure.

Attackers use browser-in-the-browser techniques to steal Facebook credentials. 

Researchers at Trellix say attackers are increasingly using the browser-in-the-browser phishing technique to steal Facebook account credentials. The method uses fake login pop-ups built with iframes that closely mimic legitimate authentication windows, making scams harder to spot. Recent campaigns impersonate law firms or Meta security alerts and often rely on shortened links and trusted cloud hosting platforms. Trellix warns the approach marks an escalation in phishing sophistication and urges users to navigate directly to official sites, avoid embedded links, and enable multi-factor authentication to reduce account takeover risk.

NIST seeks public input on securing agentic AI. 

The National Institute of Standards and Technology is seeking public input on how to secure agentic artificial intelligence systems as their use expands across government and critical infrastructure. In a new request for information, NIST asks industry and researchers to assess security risks tied to AI agents, defined as systems that combine generative models with software that enables planning and autonomous action. NIST warns these systems introduce unique threats, including hijacking, data poisoning, prompt injection, and hidden backdoors. Security leaders say those risks are already emerging as agencies deploy AI faster than protective controls mature. Qualys noted that weak governance could allow attackers to manipulate alerts or disable defenses. NIST aims to use the feedback to develop guidelines, evaluation methods, and best practices before agentic AI becomes deeply embedded in high-impact government operations.

A judge upholds a seven-year sentence for a USB-powered cocaine plot. 

A Dutch appeals court has decided that hacking a sea port with malware-laced USB sticks, all in the name of cocaine logistics, still counts as very much illegal, even if you complain about police reading your chats. The Amsterdam Court of Appeal upheld a seven-year sentence for a man who turned port IT systems into a convenience tool for smugglers, rejecting arguments that encrypted SkyECC messages should have stayed private.

According to the court, the defendant played a hands-on role, persuading a terminal employee to plug in an infected USB stick, which opened months of remote access. His chats read like a running commentary on the break-in, grumbling about intrusion detection and promising to wipe logs once he got admin rights. Judges were unimpressed by claims this was somehow authorized or unfairly prosecuted. The hack, they found, helped coordinate a 210-kilogram cocaine shipment disguised as wine. One massive drug charge was dropped, but the sentence, confiscations, and cleanup costs largely stayed put.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.