Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • Netizen: Monday Security Brief (12/8/2025)

    Netizen: Monday Security Brief (12/8/2025)

    Today’s Topics:

    • Detecting React2Shell: What Security Teams Should Be Watching for Right Now
    • BRICKSTORM: How PRC Operators Are Turning VMware and Cloud Infrastructure into Long-Term Access Platforms
    • How can Netizen help?

    Detecting React2Shell: What Security Teams Should Be Watching for Right Now

    Since the disclosure of CVE-2025-55182 on December 3, 2025, most of the attention around React2Shell has centered on patching timelines and framework exposure. That is necessary, but for many environments, detection is the real safety net while fixes are staged, tested, and deployed. This vulnerability enables unauthenticated remote code execution against React Server Components through a single crafted HTTP request, and public proof-of-concept code is already circulating. With default configurations proving exploitable in most cases, security teams should assume active scanning and live exploitation attempts are already taking place.

    The core behavior to watch for is unexpected server-side command execution originating from Next.js, React Router, or other RSC-backed runtimes. Once the deserialization flaw in the React “Flight” protocol is triggered, attackers can instruct the server to spawn shell commands directly. In practice, this often surfaces as web-facing services suddenly executing file system commands, downloading secondary payloads, or opening outbound connections that do not align with normal application behavior. Any instance of a web server process invoking utilities like ls, cat, curl, wget, chmod, or similar tools in production should be treated as a high-confidence signal.

    Runtime detection has already proven effective against this activity. The Sysdig Threat Research Team reinforced its “Suspicious Command Executed by Web Server” logic to catch React2Shell exploitation as it happens. Their Falco rule focuses on process execution events where a shell is launched by next-server, react-router, waku, or vite-related processes and then used to execute common Unix commands. In observed cases, this rule alone has been sufficient to surface exploitation almost immediately. Additional runtime alerts such as reverse shell detections and UNIX socket redirections have also been triggered during real attack simulations, which aligns with attacker behavior focused on persistence and remote control.

    Network-layer protections also play a role, though they should be treated strictly as short-term containment. Cloudflare, Google Cloud Armor, Vercel, and Firebase have all deployed platform-level rules aimed at blocking exploitation attempts tied to unsafe deserialization in POST requests. These controls can reduce opportunistic attacks, but they do not change the underlying application behavior. WAF bypass techniques remain a routine part of modern exploit chains, so organizations relying solely on edge filtering remain exposed.

    Vulnerability scanning adds another detection layer, though teams should be cautious about tool quality. Many publicly shared scanners misidentify React2Shell or fail to confirm exploitability accurately. Assetnote released one of the more reliable approaches by triggering a specific server error response tied to the vulnerable deserialization logic. Platforms with integrated vulnerability management can already flag affected React packages directly through software inventory, which helps prioritize response across large environments.

    From a defensive standpoint, the detection priority is straightforward: watch for anomalous command execution by web services, monitor outbound connections from application servers that do not normally initiate external traffic, and treat any reverse shell indicators as confirmation of compromise. These signals tend to appear quickly after successful exploitation because attackers gain immediate code execution and typically move to payload delivery or persistence within seconds.

    Patching remains the only real fix, but detection is what buys response teams time. Updated React Server Components releases at 19.0.1, 19.1.2, and 19.2.1 remove the vulnerable code path, and patched Next.js versions close downstream exposure. Until those updates are fully deployed, continuous runtime monitoring is the line that separates a blocked exploit attempt from a full server takeover.

    BRICKSTORM: How PRC Operators Are Turning VMware and Cloud Infrastructure into Long-Term Access Platforms

    CISA confirmed last week that a sophisticated backdoor called BRICKSTORM is being actively used by state-sponsored operators from the People’s Republic of China to maintain long-term, covert access inside U.S. networks. The malware targets both VMware vSphere and Windows environments and is designed for persistence, remote command execution, and stealthy command-and-control. According to CISA, BRICKSTORM gives attackers interactive shell access along with full file manipulation capabilities, making it a powerful post-exploitation platform rather than a simple loader or beacon.

    BRICKSTORM is written in Golang and supports multiple C2 channels, including HTTPS, WebSockets, nested TLS, and DNS-over-HTTPS. It can also operate as a SOCKS proxy, which allows attackers to tunnel traffic through compromised systems and pivot deeper into internal networks. One of its more dangerous traits is its built-in self-monitoring logic that automatically reinstalls or restarts the implant if it is disrupted. That single feature sharply increases dwell time by allowing the malware to survive partial remediation efforts.

    The malware was first documented in 2024 by Google Mandiant during investigations tied to the zero-day exploitation of Ivanti Connect Secure vulnerabilities, including CVE-2023-46805 and CVE-2024-21887. Since then, the activity has matured. CISA now ties the tool to operations conducted by UNC5221 and a separate China-nexus threat cluster that CrowdStrike tracks as Warp Panda. CrowdStrike reports that Warp Panda has been active since at least 2022 and has focused heavily on VMware vCenter environments inside U.S. legal, technology, and manufacturing organizations throughout 2025.

    In one confirmed intrusion, attackers gained initial access to a public-facing web server inside a DMZ using a web shell, then moved laterally into an internal vCenter server where BRICKSTORM was implanted after privilege escalation. From there, the operators harvested service account credentials, accessed a domain controller over RDP, and extracted Active Directory data. They continued moving laterally using SMB to additional jump servers and an ADFS server, where cryptographic keys were exfiltrated. From the compromised vCenter system, they were then able to shovel traffic between hypervisors and guest VMs while disguising BRICKSTORM as a legitimate vCenter process.

    CISA’s technical breakdown shows that BRICKSTORM relies on custom handlers to spin up web servers on compromised hosts, establish SOCKS proxy tunnels, and execute commands remotely. Some components are purpose-built for virtualized environments and leverage the VSOCK interface for inter-VM communication, data exfiltration, and resilience across ESXi hosts and guest machines. CrowdStrike confirmed that in several intrusions, BRICKSTORM was deployed alongside two previously undocumented Golang implants named Junction and GuestConduit. Junction acts as a local HTTP command server and proxy layer on ESXi hosts, while GuestConduit sits inside guest VMs and maintains a persistent VSOCK listener on port 5555 to bridge traffic back to the hypervisor.

    Initial access continues to rely on edge device exploitation and stolen or abused credentials. Confirmed vulnerabilities include multiple Ivanti Connect Secure flaws, VMware vCenter bugs such as CVE-2024-38812, CVE-2023-34048, and CVE-2021-22005, as well as CVE-2023-46747 in F5 BIG-IP. Once inside vCenter, the attackers use SSH, the privileged “vpxuser” account, and SFTP to move laterally and shuttle data between hosts. Their cleanup discipline remains strong, with timestomping, aggressive log clearing, and short-lived rogue virtual machines used for staging operations before being destroyed.

    What makes Warp Panda’s activity especially concerning is its cloud focus. CrowdStrike described the group as “cloud-conscious,” noting repeated abuse of Microsoft Azure environments after on-prem compromise. Attackers accessed OneDrive, SharePoint, and Exchange by stealing browser session tokens and replaying them through BRICKSTORM tunnels. In at least one case, they registered new MFA devices to entrench access and used Microsoft Graph API calls to enumerate service principals, applications, directory roles, and user mailboxes. This shows a clean operational bridge between on-prem virtualization compromise and direct exploitation of SaaS identity planes.

    The operational goal is not disruption. Everything about this malware stack points to intelligence collection and quiet, long-term access. CrowdStrike observed attackers cloning domain controller virtual machines inside vCenter to extract Active Directory databases offline. They also accessed employee email accounts aligned with Chinese government interest areas and performed limited reconnaissance against foreign government networks from within U.S. infrastructure. This is classic strategic access behavior backed by modern virtualization tradecraft.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Chinese Threat Groups Move Fast on Newly Disclosed React2Shell Vulnerability

    Chinese Threat Groups Move Fast on Newly Disclosed React2Shell Vulnerability

    A new round of activity tied to China-based operators began almost immediately after details of CVE-2025-55182 were released. The flaw, now nicknamed React2Shell, affects React Server Components and grants remote code execution without authentication. With a perfect CVSS score of 10.0, the weakness attracted interest from multiple actors within hours, according to new reporting from Amazon Web Services.

    Patches and Early Exploitation Attempts

    Patches landed in React versions 19.0.1, 19.1.2, and 19.2.1. Even with fixes available, attempts to exploit unpatched systems appeared nearly in real time across AWS MadPot honeypots. CJ Moses, CISO of Amazon Integrated Security, noted that the traffic matched long-running Chinese state-linked infrastructure and patterns that analysts have tracked for several years.

    Earth Lamia’s Activity

    One cluster of attempts came from sources tied to Earth Lamia, the same group responsible for exploiting SAP NetWeaver (CVE-2025-31324) earlier this year. Earth Lamia has shown wide geographic reach, hitting organizations across financial services, logistics, retail, higher education, government entities, and general IT across Latin America, the Middle East, and Southeast Asia. Their behavior around React2Shell fits with that pattern: broad reconnaissance, automated probing, and a desire to reach new entry points before defenders finish patching.

    Jackpot Panda’s Parallel Interest

    A second wave matched indicators linked to Jackpot Panda. This actor has a long-running focus on gambling-adjacent operations in East and Southeast Asia, and is known for supply chain compromises, including the Comm100 incident in 2022. Research from CrowdStrike and ESET has tied Jackpot Panda to a series of campaigns that rely on manipulated installers, staged implants, and credential theft. More recent work suggests that I-Soon, a Chinese contractor, may have supported portions of those operations due to infrastructure overlap.

    By 2023, Jackpot Panda had shifted attention inward, aiming at Chinese-speaking users through trojanized CloudChat installers. Those installers set up a multi-stage chain that delivered an implant named XShade, which analysts say overlaps with the group’s earlier CplRAT tooling. Their presence in the early React2Shell exploitation window signals how quickly established operators adjust playbooks once a fresh entry point appears.

    What Early Probing Looked Like

    AWS observed attackers testing basic shell commands, creating or modifying files such as /tmp/pwned.txt, and attempting to read /etc/passwd. This pattern reflects the early phase of an opportunistic campaign—simple checks to confirm that the target is vulnerable, followed by a gradual shift into more tailored post-exploitation activity. The same scanners also attempted to weaponize N-day issues such as the NUUO Camera flaw (CVE-2025-1338), which points to a broad sweep rather than a single-purpose operation.

    Moses described the workflow as a routine cycle for these groups: watch vulnerability disclosures closely, grab public exploit code as soon as it appears, and feed it into sweeping infrastructure that tests multiple CVEs at once. Whoever falls behind on patching becomes the easiest target.

    Cloudflare’s Brief Outage

    At the same time, the broader ecosystem felt the ripple effect of the disclosure. Cloudflare experienced a short but very visible service interruption that produced waves of 500 errors across major sites. The company later clarified that the problem came from an internal change to its Web Application Firewall. The update was intended to expand protection for the new React2Shell issue. A parsing error caused the outage, not any attempt by threat actors to hit Cloudflare’s systems.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that strengthens organizations by delivering cybersecurity capabilities that improve visibility, response, and resilience across modern environments. In the context of SOC-as-a-Service, our mission is centered on helping government, defense, and commercial clients build incident readiness without the burden of standing up a full in-house SOC. Our team develops and supports advanced monitoring, detection, and response solutions that give customers the level of coverage and operational structure they need to protect their networks, identities, and cloud workloads.

    Our “CISO-as-a-Service” offering already demonstrates how we extend executive-level expertise to organizations that need high-end guidance without internal hiring. The same principle applies to our SOC; Netizen operates a state-of-the-art 24x7x365 Security Operations Center that provides continuous monitoring, alert triage, detection engineering, incident response coordination, and threat hunting for clients that require dependable coverage. These services support the readiness goals outlined in this article by improving early detection, reducing breakout time, and offering access to specialized analysts and hunters who understand the demands of sensitive and regulated environments.

    Our portfolio complements SOCaaS by including cybersecurity assessments and advisory, hosted SIEM and EDR/XDR services, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. This allows organizations to integrate SOCaaS with broader security initiatives such as modernization projects, compliance readiness, and vulnerability management. We specialize in environments where strict standards, technical precision, and operational consistency are mandatory, which makes our team a natural partner for organizations working to raise their detection and response maturity.

    Netizen maintains ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations, reflecting the stability and maturity required for a high-quality SOC operation. As a Service-Disabled Veteran-Owned Small Business certified by the U.S. Small Business Administration, we have been recognized repeatedly through the Inc. 5000, Vet 100, national Best Workplace awards, and numerous honors for veteran hiring, innovation, and organizational excellence.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Inside Lazarus Group’s Remote-Worker Scheme: Researchers Capture the Operation Live

    Inside Lazarus Group’s Remote-Worker Scheme: Researchers Capture the Operation Live

    A joint investigation by BCA LTD, NorthScan, and ANY.RUN has provided an unusually clear look into one of North Korea’s most persistent infiltration methods. Instead of relying on malware or exploit chains, the operators tied to Lazarus Group’s Famous Chollima division attempted to slip remote IT workers into Western companies under stolen or borrowed identities. The research teams managed to watch this activity play out live, using purpose-built sandbox environments that the operators believed were ordinary developer laptops.

    How the Scheme Works

    The operation began with a familiar introduction: a recruiter message offering a remote IT position. In this case, the recruiter used the alias “Aaron,” also known as “Blaze,” a persona previously linked to Chollima activity. Blaze’s pitch followed the same pattern seen in earlier cases, presenting a job-placement “business” that would place a U.S. developer in a remote role, while a North Korean operator actually performed the work.

    The goal remained the same as in past incidents. Operators attempted to borrow or take over an identity, pass interviews with AI-generated answers, work remotely by controlling the victim’s laptop, and route the salary back to DPRK channels. Once Blaze requested everything from SSN and government ID to full-time remote access and uninterrupted laptop availability, the researchers shifted into a controlled environment.

    The Fake Laptops That Exposed the Operation

    BCA LTD’s Mauro Eldritch deployed ANY.RUN’s long-running virtual machines, configured to appear indistinguishable from real personal workstations. They carried typical developer tools, normal browser history, and realistic usage patterns, along with network routing that matched U.S. residential activity.

    These systems gave the research teams full visibility. They could watch sessions in real time, record every action, throttle the network, force crashes, and capture system snapshots. The operators, convinced they were working on legitimate devices, proceeded normally.

    What Investigators Saw Inside Famous Chollima’s Toolkit

    The sessions revealed a streamlined toolset focused almost entirely on identity takeover and remote access. Once the operators synced their Chrome profiles, they began loading the tools they rely on across many of these campaigns.

    The setup included AI-driven platforms such as Simplify Copilot, AiApply, and Final Round AI, which helped automate job applications and provide pre-written interview responses. Browser-based one-time passcode utilities such as OTP.ee and Authenticator.cc appeared as soon as they collected personal documents, giving them the ability to manage the victim’s two-factor authentication.

    Google Remote Desktop, configured through PowerShell with a fixed PIN, became the primary access channel. To validate the environment, the operators ran simple reconnaissance utilities such as dxdiag, systeminfo, and whoami. All traffic consistently moved through Astrill VPN, matching patterns tied to earlier Lazarus infrastructure.

    At one point, an operator even left a Notepad message requesting uploads of a government ID, SSN, and banking details. The intent behind the scheme was unmistakable: complete control of the identity and workstation of a U.S.-based employee without pushing malware or triggering traditional defenses.

    Why This Matters for Employers

    The activity highlights a growing risk for hiring teams. Remote recruitment provides attackers with a quiet avenue into corporate environments. Instead of breaching external services or exploiting software vulnerabilities, they gain access by passing job interviews and taking control of an employee’s laptop once hired.

    This raises the stakes beyond a single compromised worker. A successful infiltrator could reach internal dashboards, sensitive operational systems, or even managerial accounts if the organization does not have strong identity and endpoint controls. The investigation shows that these schemes rely on social engineering, identity theft, and remote-access tooling rather than traditional malware delivery.

    Building internal awareness and giving staff a place to report suspicious interactions can play a significant role in catching these schemes early. Companies that review unusual requests, identity inconsistencies, or access demands are in a stronger position to prevent such infiltration attempts before they escalate into operational consequences.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that strengthens organizations by delivering cybersecurity capabilities that improve visibility, response, and resilience across modern environments. In the context of SOC-as-a-Service, our mission is centered on helping government, defense, and commercial clients build incident readiness without the burden of standing up a full in-house SOC. Our team develops and supports advanced monitoring, detection, and response solutions that give customers the level of coverage and operational structure they need to protect their networks, identities, and cloud workloads.

    Our “CISO-as-a-Service” offering already demonstrates how we extend executive-level expertise to organizations that need high-end guidance without internal hiring. The same principle applies to our SOC; Netizen operates a state-of-the-art 24x7x365 Security Operations Center that provides continuous monitoring, alert triage, detection engineering, incident response coordination, and threat hunting for clients that require dependable coverage. These services support the readiness goals outlined in this article by improving early detection, reducing breakout time, and offering access to specialized analysts and hunters who understand the demands of sensitive and regulated environments.

    Our portfolio complements SOCaaS by including cybersecurity assessments and advisory, hosted SIEM and EDR/XDR services, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. This allows organizations to integrate SOCaaS with broader security initiatives such as modernization projects, compliance readiness, and vulnerability management. We specialize in environments where strict standards, technical precision, and operational consistency are mandatory, which makes our team a natural partner for organizations working to raise their detection and response maturity.

    Netizen maintains ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations, reflecting the stability and maturity required for a high-quality SOC operation. As a Service-Disabled Veteran-Owned Small Business certified by the U.S. Small Business Administration, we have been recognized repeatedly through the Inc. 5000, Vet 100, national Best Workplace awards, and numerous honors for veteran hiring, innovation, and organizational excellence.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Building Incident Readiness with SOC-as-a-Service

    Building Incident Readiness with SOC-as-a-Service

    Many organizations reach a stage where internal teams cannot keep up with rising alert volumes, broader attack surfaces, or an expanding mix of on-prem and cloud infrastructure. Modern environments generate millions of telemetry points per day, and even a well-staffed IT group often struggles to maintain visibility across workloads, identities, SaaS platforms, and rapidly changing cloud services. Building an in-house SOC demands years of staffing, tooling, tuning, and process development, along with continuous investments in threat intelligence, incident response training, and coverage for nights, weekends, and holidays. SOC-as-a-Service offers a faster option by delivering full monitoring and response capabilities through a managed, cloud-based operation that does not require dedicated physical space, custom-built infrastructure, or the hiring of specialized roles that are currently in short supply across the industry.

    What SOCaaS Provides

    A SOCaaS provider operates a remote security center that performs monitoring, log analysis, threat detection, investigation, and coordinated incident response across the customer’s environment. Providers typically ingest telemetry from SIEM platforms, EDR tools, NDR solutions, identity systems, cloud control planes, and API-driven SaaS logs. Correlation rules, behavioral analytics, and threat intelligence feeds help analysts spot activity that may not be obvious when viewed in isolation.

    This model gives organizations consistent coverage and access to analysts, responders, hunters, architects, and compliance specialists who would be difficult to hire or retain on their own. Many providers maintain global teams that hand off investigations as time zones change, which keeps triage and containment moving without disruption. Because the provider handles the operational workload, internal teams focus on security improvements, tabletop exercises, patching coordination, and strategic projects instead of sorting through routine alerts.

    Continuous Monitoring, Faster Detection, and Containment

    Readiness improves as soon as continuous monitoring begins. SOC teams review activity across networks, servers, endpoints, identity platforms, and cloud workloads at every hour. They filter benign events, enrich suspicious ones with context, and escalate only when necessary. This reduces alert fatigue and shortens the gap between an attacker’s initial action and the start of an investigation.

    During an intrusion, early signs often appear in subtle ways, such as token misuse, authentication anomalies, or privilege elevation attempts that do not immediately trigger alarms. SOCaaS analysts are trained to spot these indicators and push investigations forward before an adversary can deepen their foothold. Once a threat is confirmed, responders isolate endpoints, disable compromised accounts, block malicious IPs, or revoke cloud tokens, depending on what the customer environment supports. The goal is to slow or stop lateral movement, protect sensitive assets, and keep the intrusion contained while a coordinated response is planned.

    Threat Hunting and Maturity Gains

    SOCaaS strengthens readiness through access to specialists who perform structured and hypothesis-driven threat hunting. These teams analyze unusual patterns in authentication flow, process execution, registry changes, cloud API calls, or east-west network traffic to find activity that might not trigger automated detections. They look for persistence mechanisms such as scheduled tasks, registry run keys, cloud-managed identity tokens, or browser-stored credentials that attackers rely on to regain access.

    Hunting often reveals misconfigurations or overlooked assets that attackers could eventually exploit. The provider documents these findings and works with internal teams to close gaps. Over time, this process improves detection logic and tightens controls. Because the provider brings mature procedures, tuned SIEM pipelines, tested playbooks, and dedicated role separation, organizations gain access to a level of capability that normally takes years to develop and refine internally.

    Scaling and Cost Predictability

    As organizations expand cloud workloads or adopt new SaaS platforms, their telemetry output grows quickly. SOCaaS providers scale ingestion pipelines, data storage, and staffing without requiring the customer to redesign their own architecture. This ensures that spikes in activity, seasonal changes, or incident-heavy periods do not overwhelm the internal security team.

    Costs also become more predictable because hardware refresh cycles, licensing for SIEM and EDR platforms, training requirements, and staffing burdens shift to the provider. Most SOCaaS offerings use consumption-based or tiered pricing that aligns with data volume or seat count. This reduces unexpected expenses and gives leadership a clearer view of long-term security spending.

    Coordination and Oversight

    The relationship between the customer and the SOCaaS provider depends on constant communication. Coordinators keep both sides aligned on active investigations, detection pipeline adjustments, incident timelines, and ongoing risk areas. Regular reporting helps leadership understand attack trends, emerging techniques, and the organization’s overall security posture. Some providers also assist with compliance needs, such as log retention, audit preparation, and control mapping for standards like ISO 27001, SOC 2, HIPAA, or CMMC.

    Customers retain strategic control, deciding which actions the provider can execute automatically and which require approval. This ensures that the outsourced SOC feels like an extension of the internal team rather than a detached service.

    Expanding Incident Readiness Over Time

    A strong SOCaaS relationship improves more than detection and response. It also accelerates long-term readiness by helping organizations develop clearer asset inventories, maintain healthier logging pipelines, document incident procedures, and test their response playbooks through tabletop exercises and simulated attacks. Over time, the internal team grows more capable, and the SOCaaS provider becomes a central partner in strengthening the organization’s resilience.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that strengthens organizations by delivering cybersecurity capabilities that improve visibility, response, and resilience across modern environments. In the context of SOC-as-a-Service, our mission is centered on helping government, defense, and commercial clients build incident readiness without the burden of standing up a full in-house SOC. Our team develops and supports advanced monitoring, detection, and response solutions that give customers the level of coverage and operational structure they need to protect their networks, identities, and cloud workloads.

    Our “CISO-as-a-Service” offering already demonstrates how we extend executive-level expertise to organizations that need high-end guidance without internal hiring. The same principle applies to our SOC; Netizen operates a state-of-the-art 24x7x365 Security Operations Center that provides continuous monitoring, alert triage, detection engineering, incident response coordination, and threat hunting for clients that require dependable coverage. These services support the readiness goals outlined in this article by improving early detection, reducing breakout time, and offering access to specialized analysts and hunters who understand the demands of sensitive and regulated environments.

    Our portfolio complements SOCaaS by including cybersecurity assessments and advisory, hosted SIEM and EDR/XDR services, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. This allows organizations to integrate SOCaaS with broader security initiatives such as modernization projects, compliance readiness, and vulnerability management. We specialize in environments where strict standards, technical precision, and operational consistency are mandatory, which makes our team a natural partner for organizations working to raise their detection and response maturity.

    Netizen maintains ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations, reflecting the stability and maturity required for a high-quality SOC operation. As a Service-Disabled Veteran-Owned Small Business certified by the U.S. Small Business Administration, we have been recognized repeatedly through the Inc. 5000, Vet 100, national Best Workplace awards, and numerous honors for veteran hiring, innovation, and organizational excellence.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Netizen: Monday Security Brief (12/1/2025)

    Netizen: Monday Security Brief (12/1/2025)

    Today’s Topics:

    • CISA Flags Active XSS Exploitation in OpenPLC ScadaBR
    • DPRK Group Seeds npm Registry with Another Set of Loader Packages
    • How can Netizen help?

    CISA Flags Active XSS Exploitation in OpenPLC ScadaBR

    CISA has added CVE-2021-26829 to the Known Exploited Vulnerabilities catalog after investigators confirmed that the flaw has been used in real attacks. The weakness is a cross site scripting issue in OpenPLC ScadaBR, present in Windows versions through 1.12.4 and Linux versions through 0.9.1. It is tied to the system_settings.shtm page and carries a CVSS score of 5.4. Although it is not a high score, its presence in the KEV list means attackers are actively trying to use it in operational environments.

    Much of the renewed attention came from research into a September 2025 incident involving a Forescout honeypot. The system was built to resemble a small water treatment plant. TwoNet, a pro-Russian hacktivist group, accessed it through default credentials and created a new user account called BARLATI. They spent roughly a day moving from initial access to simple changes inside the web interface. They used the vulnerability to deface the HMI login page with a pop up message that read “Hacked by Barlati” and then attempted to turn off logs and alarms, unaware that the environment was a decoy. Their activity stayed within the web layer and showed no attempt to escalate privileges or reach the underlying host. The action fit their pattern of blending older web exploitation with loud claims about industrial targets.

    TwoNet has been shifting its tactics throughout the year. The group started on Telegram in January with uncomplicated DDoS attacks and has since moved into industrial systems, doxxing, paid access, ransomware services, and broad hack-for-hire activity. They have also tied their brand to other hacktivist groups such as CyberTroops and OverFlame. Their interest in industrial interfaces appears to be part of a strategy focused on visibility rather than deep technical control.

    Federal Civilian Executive Branch agencies now have until December 19, 2025 to apply the required updates. Any organization running ScadaBR, including those outside government, should confirm that patches are installed, interfaces are not exposed unnecessarily, and default passwords have been removed.

    Around the same period, VulnCheck uncovered a separate campaign built on an Out of Band Application Security Testing endpoint hosted in Google Cloud. The infrastructure has been active for at least a year and shows a pattern of activity aimed at Brazil. Sensor data revealed more than 1,400 exploit attempts tied to over 200 CVEs. Many of the requests used familiar Nuclei style signatures although the payloads and geographic pattern pointed to a more focused operator. Successful exploitation triggered callbacks to subdomains under i-sh.detectors-testing[.]com. Activity has been traced to US based Google Cloud systems, which allows the attacker to blend in with normal traffic.

    VulnCheck also discovered a Java class file at 34.136.22[.]26 called TouchFile.class. The file expands on a public Fastjson remote code execution proof of concept, adding the ability to accept commands and URL parameters and send outbound HTTP requests. The length of time the infrastructure has been active and the narrow geographic focus suggests a sustained scanning effort rather than a series of short, opportunistic sweeps.

    DPRK Group Seeds npm Registry with Another Set of Loader Packages

    North Korean operators tied to the Contagious Interview activity have pushed another 197 malicious packages into the npm registry, continuing a steady pattern that started late last month. Socket’s telemetry shows more than 31,000 downloads across these uploads. Each package acts as a loader for an updated build of OtterCookie that blends traits from BeaverTail with older OtterCookie versions, which mirrors what researchers have been documenting for several weeks.

    Some of the loaders appeared under familiar names such as bcryptjs-node, cross-sessions, json-oauth, node-tailwind, react-adparser, session-keeper, tailwind-magic, tailwindcss-forms, and webpack-loadcss. Once launched, the malware checks for sandboxes and virtual machines, collects basic system information, and opens a command channel. With that foothold, the operators gain a remote shell along with the ability to capture keystrokes, screenshots, clipboard data, browser credentials, documents, and cryptocurrency wallet information including seed phrases.

    Researchers have been noting the shrinking gap between OtterCookie and BeaverTail. Cisco Talos described this overlap last month during an investigation into an infection that reached a system tied to an organization in Sri Lanka. In that case, the user had been tricked into running a Node.js application that formed part of a staged job interview.

    Further review shows that these npm packages connect to a hard coded Vercel address, tetrismic.vercel[.]app. That server fetches the cross platform OtterCookie payload from a GitHub repository controlled by the actor. The GitHub profile behind the distribution, stardev0914, has since disappeared.

    Kirill Boychenko at Socket noted that the pace of these uploads makes Contagious Interview one of the most active efforts abusing the npm ecosystem. The campaign fits a broader pattern where North Korean operators blend developer tooling with workflows tied to cryptocurrency projects, JavaScript development, and common open source utilities.

    A related wing of this activity has shown up in a separate set of fake assessment websites. These sites walk victims through steps that mimic ClickFix troubleshooting. During the flow, the user is persuaded to download malware written in Go, often described as GolangGhost or FlexibleFerret. The operation goes by the name ClickFake Interview. After running, the malware contacts a built in command server and waits for instructions. It can collect system data, run commands, move files, and gather information from Google Chrome. Persistence is handled through a macOS LaunchAgent that triggers a shell script at login. A decoy application also appears during this process, showing camera or microphone prompts that look like Chrome and later presenting a fake Chrome password window that stores the user’s input and sends it to a Dropbox account.

    Despite some shared themes, analysts have stressed that this operation differs from the separate DPRK IT worker schemes where operators embed themselves into companies under borrowed identities. Contagious Interview instead targets individuals directly through job postings, coding tests, and staged hiring portals that act as delivery systems for malware.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Netizen Cybersecurity Bulletin (November 28th, 2025)

    Netizen Cybersecurity Bulletin (November 28th, 2025)

    Overview:

    • Phish Tale of the Week
    • North Korea’s Contagious Interview Campaign Expands With Nearly 200 New Malicious npm Packages
    • Dark LLMs Promise Chaos, Deliver Training Wheels for Low-Tier Cybercriminals
    • How can Netizen help?

    Phish Tale of the Week

    Ofteften times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this text message, the actors are appearing as USPS, the United States Postal Service, and informing you that action needs to be taken regarding your delivery. The message politely explains that “USPS” is holding our package at a warehouse, and that we just need to update our address in order to receive it. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.

    Here’s how we can tell not to click on this smishing link:

    1. The first red flag in this message is the senders’ address. Always thoroughly inspect the sender’s address to ensure it’s from a trusted sender. In this case, the actors neglected to spoof their messaging address, and a simple look at the sender’s address makes it very apparent that the email is not from USPS. In the future, review the sender’s address thoroughly to see if a text could be coming from a threat actor.
    2. The second warning signs in this text is the messaging. This message tries to create a sense of urgency by using language such as “cannot be delivered” and “within 12 hours.” Phishing scams commonly attempt to create a sense of urgency in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link sent through SMS.
    3. The final warning sign for this email is the lack of legitimate USPS information. Fortune 500 companies, the government and similar organizations standardize all communications with customers. This text includes a small “thank you” message at the bottom in an attempt to gain credibility, but it lacks all of the parts of a credible USPS message and can be immediately detected as a phishing attempt.


    General Recommendations:

    smishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

    1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    2. Verify that the sender is actually from the company sending the message.
    3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    4. Do not give out personal or company information over the internet.
    5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many smishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any SMS requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this month’s Cybersecurity Brief:

    North Korea’s Contagious Interview Campaign Expands With Nearly 200 New Malicious npm Packages

    North Korean operators have widened their Contagious Interview activity with another wave of poisoned npm packages, adding 197 new entries to the registry in just a few weeks. Socket’s telemetry places the total download count at more than 31,000, which suggests the threat actors are still finding plenty of opportunities to slip their tooling into ordinary JavaScript workflows. The new uploads act as loaders for an updated OtterCookie variant that blends traits from BeaverTail and earlier OtterCookie builds, reinforcing what researchers have been observing for several months: the two codebases are drifting into the same family rather than standing apart as separate projects.

    Much of the activity is wrapped in familiar-sounding packages such as bcryptjs-node, cross-sessions, json-oauth, node-tailwind, react-adparser, session-keeper, tailwind-magic, tailwindcss-forms, and webpack-loadcss. Once installed and run, the malware begins with basic checks to spot sandboxes or virtual machines, then gathers details about the device before opening a command channel. From that point, the operators gain a remote shell and a broad set of collection tools, ranging from clipboard theft and keylogging to screenshot capture, browser credential extraction, document harvesting, and pulling cryptocurrency wallet data and seed phrases.

    Cisco Talos noted last month that the line between OtterCookie and BeaverTail has been fading. Analysts linked this to an earlier incident involving a Sri Lanka-based organization where a user was coaxed into launching a Node.js application as part of a fake job interview. The loader packages in the current wave behave in a similar way. They reach out to a hard-coded Vercel address, tetrismic.vercel[.]app, and retrieve the cross-platform payload from a GitHub repository tied to the now-removed account “stardev0914.” The infrastructure’s disappearance came only after researchers identified it publicly.

    Security researcher Kirill Boychenko described the pace of uploads as one of the clearest signs of how deeply North Korean teams have woven themselves into JavaScript and crypto-adjacent development habits. The operators are treating npm as both a distribution network and a trust anchor, counting on developers to install small utilities that look harmless during setup.

    Parallel efforts tied to the same adversary set have been pushing another malware family called GolangGhost, also known as FlexibleFerret or WeaselStore. These infections often start from fake skills tests or hiring portals that imitate real technical assessments. Victims are sent instructions resembling ClickFix-style troubleshooting steps for camera or microphone issues. Running the provided material leads to a Golang-based payload that reaches out to a fixed command server, maintains a steady instruction loop, and can run system commands, move files, and scrape Chrome data. It also establishes persistence on macOS through a LaunchAgent and displays a decoy application that impersonates a Chrome permission prompt. Afterward, a fake Chrome password box appears, capturing whatever the user enters and uploading it directly to a Dropbox account controlled by the threat actors.

    Researchers studying this branch of activity emphasize that it differs from DPRK schemes built around long-term infiltration of legitimate companies through falsified identities. Contagious Interview focuses on corrupting the hiring process itself, relying on staged recruitment workflows, malicious coding tasks, and fraudulent job platforms to compromise individuals before they ever reach a real workplace.

    To read more about this article, click here.

    Dark LLMs Promise Chaos, Deliver Training Wheels for Low-Tier Cybercriminals

    Dark-language-model storefronts have been buzzing with activity for the past few years, but the results still fall far short of the sweeping predictions made when generative AI first arrived. The excitement that followed the release of early chatbots led many in security to believe attackers would soon be able to generate advanced malware or run fully automated operations with minimal effort. The underground’s current tools show a different reality. They help inexperienced users write cleaner phishing messages, fix awkward grammar, and produce simple scripts, but little else.

    This gap becomes clear when looking at platforms like WormGPT 4 and KawaiiGPT, which Palo Alto Networks’ Unit 42 recently examined. Both models sell themselves as unfiltered alternatives to mainstream AI systems, promising unrestricted output and freedom from safety constraints. In practice, the capabilities hardly rise above basic malware scaffolding. They can assemble small pieces of Python, churn out smooth ransom notes, and give amateur operators a sense of confidence, though their technical contributions stay well within the boundaries of what has been circulating online for years.

    Dark LLMs first captured attention in 2023 with WormGPT, a paid service marketed as an escape hatch from ChatGPT’s limitations. Its creators claimed it was trained on malware and exploit content, making it ideal for novice attackers who needed a quick utility for phishing messages or simple code snippets. The model generated plenty of conversation but left little evidence of serious use in real intrusions. Even so, it established a template for the tools that followed, including the current WormGPT 4 variant.

    WormGPT 4 repeats many of the same promises, offering to generate “any content” without oversight. When prompted for resources to aid a ransomware operation, it delivered a polished ransom note and a crude locker that targeted PDF files, expandable to other extensions and configured to use Tor. KawaiiGPT, another rising favorite in the underground, produced comparable output during Unit 42’s tests. It drafted plain but coherent phishing emails, basic scripts for data theft, and even supported limited lateral movement on a Linux host.

    These features are enough to draw a crowd. KawaiiGPT’s developer claimed in a Telegram channel that more than 500 users have registered, with roughly half staying active. WormGPT 4, offered through a subscription tier, also maintains a broad community across Telegram channels. The market as a whole is growing, according to Check Point’s Oded Vanunu. He describes a landscape where commercial dark LLMs coexist with private, custom-trained models that operators integrate into their own infrastructure, bypassing public marketplaces entirely.

    Even with the buzz around these tools, researchers still struggle to measure their real influence. Analysts lack reliable ways to detect AI-generated malicious code unless attackers leave clear indicators behind. This makes usage difficult to track, and much of the evidence remains anecdotal or based on conversations in underground forums.

    The technical ceiling for these systems appears low. They generate incorrect code as often as they produce working snippets, a direct result of LLM hallucinations. They also lack the contextual reasoning needed to build full malware samples that adapt to specific targets. Unit 42 researchers note that human operators still need to correct errors, refine logic, and handle environment-specific details. Instead of pioneering new techniques, these models recycle familiar patterns and rely heavily on code fragments available in open repositories.

    To read more about this article, click here.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Prompt Injections and the Expanding Attack Surface of Agent-Enabled Browsers

    Prompt Injections and the Expanding Attack Surface of Agent-Enabled Browsers

    ChatGPT’s Atlas browser marks a noticeable shift in how LLM-driven features interact with everyday browsing. By placing a full reasoning engine inside the same space that handles untrusted Web content, Atlas changes the threat model for users and organizations experimenting with agent-based automation. The convenience is obvious; the exposure is far greater than many expect.

    Integration That Alters the Security Boundary

    Atlas, built on Chromium and released in late October, blends standard browsing functions with an LLM that can read, summarize, and act on Web content in real time. This removes a long-standing separation between the rendering engine and the model performing language operations. Once those layers are intertwined, every page load becomes a potential carrier for instructions the agent may interpret as operational rather than informational.

    This is the core issue. The model no longer works with curated input. It absorbs whatever the browser encounters, including content that was never meant to be interpreted as a command.

    Why Prompt Injection Matters More in This Context

    Prompt injection isn’t a minor annoyance in this environment. It is a control flaw that stems from the way LLMs process language. Direct injections attempt to manipulate the model through explicit queries, but indirect injections are the real concern. An attacker can hide instructions in HTML comments, CSS, SVG metadata, JavaScript-generated elements, or even inside the body of an email. The agent sees plain text where a human sees nothing.

    Once autonomy enters the equation, these injections can cause far more than misstatements. They can trigger HTTP requests, modify local files, run code through allowed tools, or relay corrupted instructions to other integrated systems. A single crafted string becomes a foothold for actions that resemble insider activity rather than a typical exploit.

    Evidence That This Threat Path Is Already Active

    LayerX disclosed the first vulnerability in Atlas one day after launch. Their research showed that malicious instructions could persist in memory during agent execution. This demonstrates that the attack surface merges traditional browser risks, like DOM manipulation or script injection, with the LLM’s control layer.

    OpenAI’s CISO acknowledged the same risk publicly, noting that prompt injection remains unresolved despite years of effort. Because the flaw is tied to interpretation rather than model parameters, no amount of fine-tuning eliminates it entirely.

    How Agent Autonomy Amplifies Risk in Enterprise Environments

    From the perspective of a security team, giving an agent tool access is comparable to placing an inexperienced employee inside the network who obeys any instruction that appears grammatically valid. Atlas and similar systems can issue API calls, generate code, access internal pages, and interact with automation platforms.

    This means an indirect injection no longer ends at the interface layer. It can extend into ticketing systems, internal documentation, repositories, CRM platforms, and anything else the agent is tied into. Many organizations testing agent capabilities are doing so without strong privilege controls, which increases the likelihood that contaminated text leads to operational consequences.

    Defensive Priorities for Organizations Exploring Agentic Browsers

    As more vendors follow this model, protective measures need to match the new exposure. Several controls make a meaningful difference:

    Least-Access Agent Permissions

    Agents should only have access to the exact tools needed for their tasks, with no general-purpose capabilities that expand their reach.

    Sandboxed Tool Execution

    Tool usage must run inside isolated execution environments that restrict file operations and outbound interactions.

    Internal Access Filters

    Anything involving internal systems should be treated as though requests originate from an unknown external service, with authentication and context checks on every step.

    Human Review for High-Impact Actions

    Actions involving file changes, system commands, sensitive data, or external communication should require human confirmation before execution.

    Treat All External Content as Hostile

    Every Web page, email body, embedded object, or file preview should be considered untrusted input that may contain hidden instructions.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • The “Second Coming”: Shai Hulud Returns to npm

    The “Second Coming”: Shai Hulud Returns to npm

    A new surge of malicious activity hit the npm ecosystem early on November 24, marking the return of the Shai Hulud campaign. Hundreds of packages began showing the same hallmarks as the earlier outbreak, signaling that the operators behind the worm had reactivated their supply chain operation. The timing is significant, landing just ahead of npm’s December 9 cutoff for classic authentication tokens, a moment that has already shaped how attackers position themselves within developer ecosystems.

    A Coordinated Return Before npm’s Token Deadline

    The timing of the new attack indicates a deliberate effort to take advantage of remaining gaps in token migration. Many organizations have not yet transitioned to trusted publishing, leaving older tokens in active use. The attacker appears to have targeted this transitional period, building on the momentum of earlier incidents that began during the summer, including the S1ngularity activity in August and the first Shai Hulud wave in mid September.

    The new operation mirrors the prior campaign but arrives with expanded capabilities and a clearer strategy for large scale impact.

    Understanding Shai Hulud

    Shai Hulud takes its name from the giant sandworms in Dune, reflecting the attacker’s preference for dramatic thematic references. Despite the theatrical branding, the threat itself is practical, automated, and purposefully constructed for supply chain exploitation. The worm spreads through npm packages, activates during installation, scans local systems for sensitive information, and transmits any recovered credentials to public GitHub repositories created by the attacker. The intention is to compromise developer environments and leverage stolen secrets to publish additional weaponized packages, creating a cycle of propagation.

    What’s Changed in the Sandworm’s Second Wave?

    The new version of Shai Hulud introduces several operational adjustments. The attacker now uses an installation script that deploys Bun and then uses Bun to execute the primary malicious payload. The worm also generates randomized GitHub repositories for exfiltration rather than relying on a fixed name. The scope of attempted package infection has increased significantly, rising from twenty in the first wave to as many as one hundred in the current one. In addition, a destructive fallback behavior was added that attempts to wipe the user’s home directory when authentication to GitHub or npm fails. This element increases the potential operational impact of an incomplete or partially blocked infection.

    Wide Reach Across npm Packages

    Netizen reviewed the list of confirmed compromised packages and found that hundreds of modules across AsyncAPI, Zapier, ENS Domains, PostHog, Postman, and several independent publishers were affected. The combined monthly download count for these packages exceeds one hundred million. This level of reach creates an elevated risk of downstream exposure for developers, CI systems, and organizations that rely on automated dependency updates.

    Partial Failures in the Attacker’s Packaging Process

    While the campaign was broad, analysis revealed that many compromised packages contained only the staging script and lacked the primary payload file. This appears to stem from packaging errors by the attacker. These mistakes limited the overall impact, although they did not prevent successful compromise in key ecosystems.

    Evidence of Repository Intrusions

    The AsyncAPI team publicly confirmed that an unauthorized branch was created in their CLI repository shortly before malicious packages were published. The attacker appears to have used a method similar to the approach observed during the earlier compromise of nx related projects. Other organizations, including PostHog and Postman, have acknowledged the incident as well.

    Early Indicators and Campaign Progression

    Telemetry shows the first malicious packages appeared shortly after 3 AM GMT on November 24. AsyncAPI packages were compromised first, followed by a rapid expansion into PostHog and Postman ecosystems. The quick progression suggests that the attacker relied on automated deployment infrastructure.

    Implications for Organizations

    Any developer or automated system that installed one of the compromised versions during the active window may have exposed sensitive credentials. Shai Hulud activates during the installation phase, meaning the system can be compromised before any dependency is fully in place. The worm searches for cloud tokens, CI authentication values, GitHub or npm credentials, and other secrets, then uploads them to public GitHub repositories labeled with the campaign’s slogan.

    Stolen credentials could allow further unauthorized commits, package publication, or access to internal systems. The scale of distribution increases the likelihood that secrets belonging to multiple organizations are already exposed.

    Recommended Response Actions

    Netizen advises all organizations using npm to take the following steps:

    • Audit all dependencies associated with the affected publishers.
    • Rotate every credential used in development environments or automated build systems during the period in which the malicious versions were available.
    • Search internal GitHub organizations for unfamiliar repositories containing the phrase “Sha1 Hulud. The Second Coming.”
    • Disable npm postinstall scripts in CI environments where feasible.
    • Lock dependency versions and enforce strong authentication protections for GitHub and npm accounts.
    • Use advanced supply chain security tooling to block known malicious package versions within internal environments.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Netizen: Monday Security Brief (11/24/2025)

    Netizen: Monday Security Brief (11/24/2025)

    Today’s Topics:

    • 7-Zip Symbolic Link Flaw Draws Attention After Public PoC Release
    • Another Salesforce Supply-Chain Breach: Gainsight Compromise Fuels OAuth Token Theft
    • How can Netizen help?

    7-Zip Symbolic Link Flaw Draws Attention After Public PoC Release

    Reports from NHS England Digital briefly suggested that a newly disclosed flaw in 7-Zip was being used in real attacks, but the agency later corrected its advisory, clarifying that it has not seen evidence of live exploitation. What they have confirmed is the presence of a public proof-of-concept, which raises the stakes for anyone still running outdated versions of the tool.

    The issue, tracked as CVE-2025-11001, affects how 7-Zip processes symbolic links inside ZIP archives. A crafted archive can push the program into unintended directories and open the door for remote code execution under a service-level account. Trend Micro’s ZDI highlighted the directory traversal weakness last month, and the fix quietly arrived with version 25.00 in July. The flaw was introduced several versions earlier, making long-term installs especially exposed.

    Researchers Ryota Shiga and Takumi, an AI-assisted auditing system from GMO Flatt Security, discovered and disclosed the problem. A second, similar bug, CVE-2025-11002, was also fixed in the same release and involves the same symbolic-link handling weakness. Both issues share the same severity score and the same potential impact.

    Although NHS initially suggested active exploitation, the updated advisory walks that back and attributes the earlier wording to an error. What remains true is that a PoC is already available. Security researcher Dominik, who published the demonstration, noted that successful exploitation requires either an elevated account or Windows developer mode. The vulnerability only affects Windows systems and cannot trigger outside those conditions.

    With public exploit material already circulating, users relying on older 7-Zip versions are exposed to unnecessary risk. Updating to version 25.00 or later closes both symbolic-link flaws and prevents attackers from using crafted archives to gain footholds on a target system.

    Another Salesforce Supply-Chain Breach: Gainsight Compromise Fuels OAuth Token Theft

    Salesforce customers are once again dealing with a familiar and avoidable problem: attackers abusing third-party integrations to slip into environments that organizations assumed were already under control. The newest incident mirrors the Drift breach from earlier in the year, only this time the attackers used Gainsight as their entry point. OAuth tokens tied to Gainsight’s connection with Salesforce were stolen, giving the threat group access to customer environments with whatever permissions each organization had granted the app.

    The attackers behind this campaign are linked to the ShinyHunters extortion group, which has spent much of the past year targeting SaaS integrations that provide broad access but are often treated as low-risk. Google’s threat intelligence team attributed this latest wave to a group connected to ShinyHunters and said that more than 200 Salesforce environments were affected. The attackers themselves claimed nearly 1,000 across both Drift and Gainsight.

    Salesforce responded by pulling the affected apps from its marketplace and revoking all active OAuth tokens associated with Gainsight. That decision briefly caused confusion inside Gainsight, which initially believed the sudden failure of customer connections was a technical glitch. Salesforce later clarified that revoking the tokens did not erase audit trails or limit customers’ ability to investigate the breach.

    The most striking part of this episode is how straightforward the attackers’ strategy was. Security researchers pointed out that Drift never required the level of access many customers had given it, and the same pattern repeated with Gainsight. These integrations were granted extensive permissions far beyond what a sales-oriented tool reasonably needs, creating a perfect opportunity for attackers once those OAuth tokens were stolen.

    This isn’t just a Salesforce issue. Gainsight connects to a long list of other platforms; Slack, Microsoft Teams, HubSpot, Jira, Snowflake, and many more. Any organization that integrated Gainsight without a clear access policy may now be exposed across several systems, not just Salesforce. Many teams are only now realizing how many places their SaaS tools connect and how little visibility they actually have.

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.

  • Cloudflare Explains Its Most Significant Outage Since 2019

    Cloudflare Explains Its Most Significant Outage Since 2019

    On Tuesday, Cloudflare experienced a large-scale service degradation that temporarily disrupted access to major online services such as X, Spotify, YouTube, Uber, and ChatGPT. For several hours, HTTP requests routed through Cloudflare returned 5xx server errors at high volumes, interrupting normal network traffic and slowing response times across a wide portion of the internet.

    The company has now published a detailed technical explanation of the issue and what led to the cascading failure.

    Official Statement from Cloudflare

    In his update, Cloudflare CEO Matthew Prince acknowledged the disruption and described its severity:

    “In the last 6+ years we’ve not had another outage that has caused the majority of core traffic to stop flowing through our network. On behalf of the entire team at Cloudflare, I would like to apologize for the pain we caused the Internet today.”

    Prince emphasized there was no hostile trigger:

    “The issue was not caused, directly or indirectly, by a cyber attack or malicious activity of any kind.”

    Initial suspicion focused on a possible hyper-scale DDoS campaign after elevated error counts and even Cloudflare’s independent status page went offline, though this was later confirmed to be coincidental.

    Technical Root Cause

    The fault originated within Cloudflare’s Bot Management system, which applies machine-learning–based request scoring to detect automation, scraping, and traffic amplification behavior. Central to this is a “feature file,” containing metadata extracted from global traffic patterns. It refreshes every five minutes across all enforcement points to adapt to new bot characteristics.

    A database permission configuration change altered the query that generates this feature file. Instead of a sparse and efficient representation, the query duplicated a large number of entries. The resulting file size dramatically exceeded expected limits.

    Once deployed across the global network edge, the inflated file caused memory and performance issues for the Bot Management software. This triggered widespread HTTP 5xx responses and high CPU utilization on affected nodes. Debugging workloads and retry cascades amplified the strain, leading to partial loss of content delivery network responsiveness.

    Because the corrupted file regenerated repeatedly on its standard five-minute schedule, symptoms fluctuated in intensity, making initial diagnosis difficult.

    Restoration Effort

    Cloudflare isolated the issue by halting further propagation of the malformed feature file and pushing a previously validated version into service. Prince noted:

    “Core traffic was largely flowing as normal by 14:30.”

    Full operational health returned later the same evening.

    Cloudflare engineers manually suspended dependent components, redistributed load, and monitored CPU and network behavior to confirm stabilization.

    Preventive Measures and Architectural Improvements

    Prince described the outage as “unacceptable” and pointed to several engineering responses already in progress:

    • Expanding global kill-switch capabilities for feature rollouts, allowing rapid containment of faulty updates before widespread propagation.
    • Strengthening guardrails on feature file generation to prevent oversized or malformed artifacts.
    • Improving backpressure and error-reporting logic so diagnostic telemetry cannot overwhelm infrastructure during failures.

    Reflecting on the event, Prince commented:

    “When we’ve had outages in the past it’s always led to us building new, more resilient systems.”

    How Can Netizen Help?

    Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally. 

    Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.

    Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.

    Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.