10 Cybersecurity News You Should Know From 3rd Week of May 2025

1. Postman is logging all your secrets and environment variables

Postman, a widely used API testing tool, is silently logging users' secrets and environment variables to its cloud analytics systems. Even variables marked as “secret” are exposed via resolved request URLs. This undermines the platform’s privacy assurances and introduces serious risks for any team handling sensitive or regulated data.

Key Details

• Secrets embedded in URLs or query parameters are logged—even if masked or labeled private in the UI.
• Researcher used SSL proxying and Charles Proxy to inspect network traffic and confirm data leaks.
• Postman transmits telemetry to multiple analytics endpoints without user consent.

Next Steps

• Audit Postman usage: Identify and review any usage involving sensitive or regulated environment variables.
• Block outbound analytics: Use `/etc/hosts` or firewall rules to block telemetry domains such as `bifrost.gw.postman.com`.
• Consider alternatives: Replace Postman with more transparent or self-hosted API testing tools for high-trust environments.

Read more on Medium

2. NIST Introduces LEV Equation to Prioritize Likely Exploited Vulnerabilities

The U.S. National Institute of Standards and Technology (NIST) has launched a new metric called the LEV Equation to estimate the likelihood that a vulnerability has been exploited in the wild. Known as "Likely Exploited Vulnerabilities," or LEVs, the model helps organizations prioritize patching decisions even in the absence of confirmed exploitation. This is intended to enhance the predictive capabilities of security teams and improve risk-based vulnerability management.

Key Details

• The LEV model offers a probabilistic score even when real-world exploitation hasn’t yet been confirmed.
• It complements but does not replace CISA’s Known Exploited Vulnerabilities (KEV) catalog.
• Security experts say LEV could be a “game-changer” if widely adopted, offering early indicators before threats escalate.
• The equation was released May 19, 2025, and is aimed at improving patch management efficiency in large environments.

Read more on Dark Reading

3. 3AM Ransomware Adopts Email Bombing and Vishing Combo Attack

The 3AM ransomware group has adopted a hybrid social engineering tactic that combines email bombing with vishing calls to gain initial access to victim networks. The technique overwhelms targets with spam emails, followed by a spoofed IT support call that tricks the victim into launching remote access tools. 

Key Details

• Attackers spoofed the internal IT department’s phone number to increase credibility during vishing calls.
• Victims were guided to use Windows Quick Assist or AnyDesk, enabling attackers to install the QDoor Trojan via a virtual machine.

Next Steps

• Update employee training to include awareness of vishing combined with tech support impersonation.
• Review usage and security of Quick Assist and other remote access tools within your environment.
• Implement rules in email filters to detect and rate-limit abnormal surges in inbound mail volumes to reduce email bombing impact.

Read more on Dark Reading

4. Chinese-Speaking Hackers Exploit Cityworks Vulnerability to Breach US Municipal Systems

Cisco Talos has attributed a series of attacks on US municipal systems to Chinese-speaking hackers exploiting CVE-2025-0994 in Trimble Cityworks. The attackers deployed custom malware and web shells to maintain persistent access and sought to pivot into utility systems. Cityworks is widely used by local governments for infrastructure asset management, making this a high-impact vulnerability.

Key Details

• CVE-2025-0994 affects Trimble Cityworks, a platform used by many US municipalities and counties.
• Attackers showed specific interest in utility and infrastructure-related directories for potential data exfiltration.

Next Steps

• Immediately verify patch status for CVE-2025-0994 across all Cityworks deployments.
• Restrict external access to asset and utility management systems and review logging for unusual activity since January 2025.

Read more on The Record

5. 184 Million User Credentials Exposed in Open Hacker-Controlled Directory

Researchers uncovered an open directory containing 184 million plaintext login credentials for services including Apple, Google, Meta, and dozens of government domains. The data was stored on a hacker-controlled server, potentially compiled using infostealer malware. It included both individual and institutional accounts, posing major risks for credential stuffing, phishing, and further intrusions.

Key Details

• The exposed Elasticsearch database held over 47 GB of credentials across more than 100 platforms.
• Accounts included logins from Apple, Facebook, Microsoft, PayPal, and services in 29 governments including the US, UK, and Australia.
• The password field was labeled “Senha” (Portuguese), suggesting possible origin in Brazilian or Portuguese-speaking cybercrime circles.
• The database has been taken offline, but access before shutdown is unknown.

Next Steps

• Cross-reference leaked emails and usernames with your organization’s domains using breach monitoring tools.
• Force credential resets for any accounts potentially associated with this breach, especially those reused across systems.

Read more on Cybersecurity News and WIRED

6. Cybercriminals Abusing Dynamic DNS to Evade Detection and Impersonate Brands

Cybercriminal groups like Scattered Spider are increasingly abusing Dynamic DNS (DDNS) services to host phishing and command-and-control infrastructure with high agility and low traceability. DDNS allows attackers to assign domain names to IP addresses that frequently change—often using rented subdomains—making it easy to impersonate trusted brands and evade static detection tools. 

Key Details

• Dynamic DNS services update domain records in real-time when an IP changes, originally intended for users with unstable IPs or remote access needs.
• Attackers rent subdomains (e.g., `klv1.it[.]com`) to spoof legitimate services like Klaviyo, enabling high-trust impersonation in phishing campaigns.
• These subdomains often have clean `.com` TLDs and pass domain reputation checks, increasing their effectiveness in social engineering attacks.
• SilentPush and Push Security reported a surge in DDNS abuse in 2025, especially from phishing groups using them for rapid deployment and takedown evasion.

Next Steps

• Audit DNS traffic for requests to known DDNS providers or rapidly changing subdomain records.
• Block or limit DDNS domains in environments that don’t require them for business operations.

Read more on Dark Reading

7. GitLab Duo Could Be Tricked Into Leaking Private Code via Hidden Prompts

A remote prompt injection vulnerability in GitLab Duo allowed attackers to leak private source code by hiding malicious instructions in public GitLab content. When a user asked Duo a question, it could unknowingly obey hidden prompts embedded in comments, commit messages, or source files — even in unrelated public repositories. These prompts caused Duo to extract data from private projects and embed it in responses using HTML tricks that exfiltrated the content to attacker-controlled servers.

Key Details

• The hidden prompt could be inserted into any GitLab context Duo analyzes — including merge request descriptions, comments, or source code — even in public repos.
• Duo followed the prompt because it reads the entire project context and assumed the hidden text was user intent.
• The injected prompt caused Duo to extract private code, encode it in Base64, and inject it into an <img> tag that browsers rendered, triggering exfiltration via HTTP.
• GitLab patched the issue in February 2025 to block unsafe HTML tags and restrict Duo’s output to trusted domains.

Next Steps

• Treat AI assistants as part of your attack surface: Anything Duo “reads” must be treated like user input — potentially malicious.
• Review past Duo interactions in private projects for signs of hidden prompts, suspicious links, or image tags in responses.
• Educate developers and reviewers about LLM prompt injection and how it may appear disguised in harmless-looking content.

Read more on Legit Security and Cybersecurity News

8. 245% Spike in Weaponized SVG Phishing Marks Alarming Trend in Email Attacks

Cybercriminals are increasingly using SVG (Scalable Vector Graphics) files to deliver phishing payloads that evade traditional email security filters. Recent research from Risky Biz, ASEC, KnowBe4, and Sophos highlights a sharp rise in SVG attachments that embed JavaScript and redirect victims to credential harvesting sites. The files are often disguised as voicemails or system messages and leverage obfuscation to bypass signature-based detection.

Key Details

• KnowBe4 reports a 245% increase in SVG-based phishing attachments between late 2024 and early 2025, peaking at 29.5% of malicious files on March 4.
• Attackers use deceptive filenames like “Play Voicemail Transcription.svg” to trick users into opening malicious SVG attachments; when rendered in a browser, these files execute embedded JavaScript that redirects victims to phishing sites.

Next Steps

• Update email filters to inspect SVG files as potentially active content, not just benign images.
• Block unknown SVG attachments by default or strip active content before delivery to users.
• Train users to be cautious of unexpected voicemail or document links, especially with SVG extensions.

Read more on Risky Biz, KnowBe4, ASEC, and Sophos

9. U.S. Intelligence Plans Central Portal to Buy Data Normally Protected by Warrants

The U.S. intelligence community is building a centralized portal to purchase commercially available personal data that would typically require a warrant if requested directly from service providers. This includes location history, communications metadata, and online activity—acquired from data brokers instead of through courts. The system is intended to streamline access across agencies and is raising concerns about unregulated, warrantless surveillance by proxy.

Key Details

• The “Intelligence Community Data Consortium” (ICDC) is being developed under the ODNI as a single access point for surveillance-grade commercial data.
• The platform, not yet live, will be hosted at www.icdata.gov and is in the early contracting phase.
• Agencies can obtain data that mirrors what’s protected by the Fourth Amendment — but bypass legal safeguards by purchasing it indirectly.
• Sources include mobile apps, adtech, telecom intermediaries, and other private vendors that operate outside direct government control.
• No judicial approval or congressional reporting is required for these purchases under current law.

Next Steps

• Identify whether your vendors participate in resale ecosystems that feed data into government procurement pipelines.
• Evaluate data governance risks if your organization sells or shares data with brokers, particularly in regulated sectors.
• Track legislation like the Fourth Amendment Is Not For Sale Act, which would close this loophole if passed.

Read more on The Intercept and Kordon.

10. Undisclosed Chinese ‘Kill Switches’ Found Hidden in US Solar Farms

A recent investigation revealed that inverters used in U.S. solar farms contain remote control “kill switches” embedded by their Chinese manufacturers. These inverters, which regulate energy flow from solar panels, are internet-connected and capable of being disabled remotely — posing a critical infrastructure risk if exploited during a geopolitical conflict or cyberattack.

Key Details

• The inverters were found to be made by Chinese companies with close ties to the Chinese Communist Party.
• Remote shutdown functionality was not disclosed to operators and could be triggered without on-site access.
• Experts warn this could give a foreign adversary the ability to cause rolling blackouts or energy instability at will.
• There are currently few regulations in place to assess or restrict foreign-made components in critical energy infrastructure.

Read more on Wired