BMC Daily Cyber News

This is today’s cyber news for November 11th, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.

Meanwhile, a North Korea–linked group is twisting Google’s device-finding features to track, lock, and wipe phones after stealing account credentials with targeted phishing. Attackers register a second device, then trigger legitimate remote actions that look normal in many logs while they destroy evidence or hold victims at risk. The move is subtle. It matters because account takeover plus built-in recovery tools can override many mobile agents without tripping alarms, especially for journalists, diplomats, engineers, and executives. Enforcing multi factor authentication, M F A, and watching for bursts of remote locate, lock, or wipe actions tied to new sign-ins is now essential.

Today, malicious Visual Studio Code extensions resurfaced, masquerading as helpful tools while exfiltrating application programming interface, A P I, keys, cloud tokens, and secure shell, S S H, credentials. The packages lure with popular keywords, pull a second-stage script, scan local repositories and environment variables, then siphon secrets to attacker servers while tweaking user settings for persistence. Developers are in the blast radius. It matters because a single stolen token can unlock continuous integration and delivery, C I slash D, jobs, container registries, and private code, turning a desk into a supply chain breach. Lock extension catalogs, rotate developer tokens, and confirm that pipeline webhooks and secret stores have not been tampered with.

By contrast, a breach at Knownsec exposed internal repositories containing offensive tools, configuration files, target lists, and notes linked to multiple espionage campaigns. The cache includes credential theft plug-ins, lateral movement helpers, cloud reconnaissance scripts, and operational playbooks that reveal interest across telecom, government, and technology sectors. This is rare insight. It matters because defenders can map the revealed techniques to detections, raise the cost for the operators, and hunt for historical matches in identity, endpoint, and cloud logs. Analysis is underway, and teams should convert the leaked indicators into tested detections and run targeted hunts without delay.

Today, unpatched Cisco firewalls faced a new edge attack. Crafted network traffic drove state exhaustion that crashed processes, tripped watchdog reboots, and jammed failover pairs, creating rolling outages at the edge. Attackers can loop the sequence from outside, repeatedly knocking devices over before administrators can stabilize them. Perimeter downtime halts cloud access and remote work as virtual private network, V P N, tunnels drop across sites. Patches are available and many teams are adding temporary rate limits while maintenance windows are scheduled.

Elsewhere, NuGet packages carried delayed time-bombs. The implants idled for days, detected build or runtime context, then detonated payloads that clobbered databases and gateways while dodging sandboxes. Triggers used scheduled tasks and environment checks to avoid tipping off quality assurance hosts. Because many shops auto update packages, a single poisoned feed can ripple across services and production lines. Teams are quarantining suspect packages and rebuilding from clean, pinned sources as investigations proceed.

In parallel, LangGraph workflows were quietly hijacked at load. Crafted objects stored in shared buckets executed attacker code when pipelines reloaded checkpoints, granting control of orchestration nodes and the underlying host. The weakness stemmed from unsafe deserialization and loader paths that skipped signature and checksum verification. This matters because artificial intelligence, A I, applications now carry app security risks that can pivot into broader systems. Updates and safer loaders are being adopted, with signed checkpoints and restricted write access becoming the baseline.

Across the web, Monsta panels invited easy takeover. A critical flaw in the web file manager let unauthenticated users run system commands, plant web shells, and pivot through shared hosts. Attackers scanned for exposed panels and dropped backdoors that survived routine site updates. Small and midsize businesses and managed providers were hit hardest as a convenience tool became a front door. Patching and removal are underway, with access now restricted and checks for rogue administrators and web shells in progress.

That’s the BareMetalCyber Daily Brief for November 11th, 2025. For more, visit BareMetalCyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news. We’re back tomorrow.