Google patched two Chrome vulnerabilities exploitable via malicious web pages. Both flaws affect Chrome’s 3.4 billion users
TLDR Information Security 2025-12-19
Attacks & Vulnerabilities
Two Chrome flaws could be triggered by simply browsing the web: Update now (3 minute read)
Google patched two Chrome vulnerabilities exploitable via malicious web pages: a use-after-free in WebGPU (CVE-2025-14765) that enabled heap corruption, and an out-of-bounds read/write in the V8 JavaScript engine (CVE-2025-14766). Both flaws affect Chrome’s 3.4 billion users and require no user interaction beyond visiting a crafted site. Update to version 143.0.7499.146 or later immediately.
113,000 Impacted by Data Breach at Virginia Mental Health Authority (2 minute read)
Richmond Behavioral Health Authority in Virginia was hit by a ransomware attack in late September that encrypted parts of its network and revealed data on more than 113,000 individuals, including names, Social Security numbers, passport information, and financial and health details. Victims are advised to monitor their accounts and credit reports closely, as the ransomware group Qilin claims to have leaked 192 GB of stolen data.
HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution (2 minute read)
Hewlett Packard Enterprise has patched a critical remote code execution vulnerability in HPE OneView, tracked as CVE-2025-37164 with a maximum CVSS score of 10.0, that allows unauthenticated attackers to execute code remotely. The flaw affects all versions before 11.00, making prompt patching essential to prevent exploitation.
Strategies & Tactics
The Raspberry Pi wakeup call: Why enterprises must rethink physical security (7 minute read)
A recent Raspberry Pi attack attempt on a French ferry highlights how rogue devices with cellular modems can bypass traditional network monitoring by creating their own internet connection from inside the perimeter. Analysts estimate 50% of enterprises remain vulnerable to similar physical attacks due to unsecured Ethernet ports and inadequate device authentication. Organizations should disable unused ports by default, implement 802.1X authentication, deploy physical layer fingerprinting tools, and monitor for external infrastructure connections when unknown devices appear.
From Linear to Complex: An Upgrade in RansomHouse Encryption (13 minute read)
Unit 42 analyzed the upgraded Mario encryptor used by the RansomHouse ransomware, which evolved from simple single-pass encryption to a two-factor scheme that uses both primary and secondary keys, with chunked file processing. The RaaS operation, tracked as Jolly Scorpius, specifically targets VMware ESXi infrastructure, using the MrAgent deployment tool to encrypt multiple virtual machines simultaneously. The enhanced encryption methodology, with non-linear file processing and dynamic chunk sizing, significantly complicates static analysis and decryption for defenders.
CVE-2025-55182, also known as React2Shell, is a critical remote code execution vulnerability in React Server Components and frameworks such as Next.js that allows attackers to execute arbitrary code with a single malicious HTTP request on vulnerable servers. Default configurations are affected and reliable public exploits exist. Attackers can gain initial access without authentication and then deploy tools such as reverse shells, RATs, cryptominers, and credential harvesters across Windows and Linux environments.
Launches & Tools
Malicious Software Packages Dataset (GitHub Repo)
Datadog released an open-source dataset of over 17,000 malicious npm and PyPI packages identified through their GuardDog tool, categorized by ecosystem and whether they were compromised legitimate packages or published with malicious intent.
Wirebrowser is an open-source debugging and interception toolkit built on Chrome DevTools Protocol that combines network manipulation, API testing, and deep JavaScript memory inspection. Key features include Live Object Search for runtime patching of JS objects and Origin Trace (BDHS) for identifying user-land functions responsible for object creation or mutation through automated heap snapshots.
Verisoul provides an all‑in‑one fraud prevention platform that detects and blocks fake accounts and bots across the entire user lifecycle using device fingerprinting, behavioral analysis, and AI‑driven risk scoring to protect platforms from AI‑powered abuse and payment fraud.
Miscellaneous
I got hacked, my server started mining Monero this morning (9 minute read)
A developer’s Umami analytics container was exploited via CVE-2025-66478, a Next.js React Server Components deserialization flaw, resulting in Monero cryptominers running undetected for 10 days. Container isolation prevented the compromise from spreading because the container ran as non-root with no volume mounts or privileged access. The incident highlights the importance of knowing your dependencies’ underlying frameworks and properly configuring container security boundaries.
Tech provider for NHS England confirms data breach (3 minute read)
UK healthcare tech firm DXS International has reported a cyberattack on its office servers serving NHS England. Services will remain operational while the scope of any data theft is under investigation. A ransomware group called DevMan claims to have stolen 300 GB of data. Authorities, including the UK Information Commissioner’s Office and law enforcement, have been notified.
In Cybersecurity, Claude Leaves Other LLMs in the Dust (5 minute read)
Anthropic’s Claude models outperform rival LLMs on jailbreak resistance, prompt injection defenses, and limiting harmful or misleading outputs. While most vendors show mediocre and slow safety progress, Claude 4.x scores around 75–80% on jailbreak tests and nearly perfect on harmful content refusal, largely because Anthropic bakes safety alignment deeply into the training process instead of adding it as a final layer.
Quick Links
France Arrests 22 Year Old After Hack of Interior Ministry Systems (3 minute read)
France arrested a 22-year-old suspect after BreachForums administrator “Indra” claimed responsibility for breaching the Interior Ministry and allegedly accessing criminal records, wanted persons databases, and Interpol systems containing over 16 million records.
Arcanum Prompt Injection Taxonomy (Web App)
The Arcanum Prompt Injection Taxonomy provides a structured taxonomy of prompt injection attacks, categorizing different types of attacks intents, techniques, and evasions.
FBI Seizes Crypto Laundering Hub E-Note Linked to Russian Admin (2 minute read)
The FBI, working with German and Finnish authorities, seized cryptocurrency exchange E-Note and indicted Russian national Mykhalio Petrovich Chudnovets for laundering over $70 million for ransomware operators since 2017.