{"id":20820,"date":"2025-10-27T13:44:06","date_gmt":"2025-10-27T11:44:06","guid":{"rendered":"https:\/\/kordon.app\/?p=20820"},"modified":"2025-10-27T13:44:06","modified_gmt":"2025-10-27T11:44:06","slug":"cybersecurity-news-worth-your-attention-this-week-summarised-2025-10-27","status":"publish","type":"post","link":"https:\/\/kordon.app\/et\/cybersecurity-news-worth-your-attention-this-week-summarised-2025-10-27\/","title":{"rendered":"Cybersecurity News Worth Your Attention this Week Summarised &#8211; 2025-10-27"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>I go through ~20 different cybersecurity news portals and research site for the most interesting news every week so that you don&#8217;t have to. <\/p>\n\n\n\n<p>If you enjoy the content, scroll to the bottom to get such a summary to your inbox every Monday!<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">1. Lazarus Group Uses Fake Recruitments and Trojanized Open-Source Tools to Infiltrate European Drone Firms<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">ESET researchers have uncovered <strong>a new phase of North Korea\u2019s Operation \"Dreamjob\"<\/strong>, targeting at least <strong>three European defense and UAV-technology firms since March 2025<\/strong>. <strong>Attackers lured engineers with counterfeit job offers, then dropped a custom DLL loader (\u201cDroneEXEHijackingLoader.dll\u201d) and the ScoringMathTea RAT via trojanized open-source apps to exfiltrate drone design and manufacturing data.<\/strong>  <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Spear-phishing emails pose as recruiters from leading defense firms,<\/strong> delivering malicious PDF readers or installers.<\/li>\n\n\n\n<li>DLL side-loading loads DroneEXEHijackingLoader.dll, which in turn deploys the ScoringMathTea RAT for persistence and data theft.<\/li>\n\n\n\n<li><strong>Attackers trojanized lesser-known GitHub projects<\/strong> (Notepad++, WinMerge plugins) to evade detection.<\/li>\n\n\n\n<li><strong>At least three companies across Southeastern and Central Europe, <\/strong>metal engineering, aircraft components, and defense, <strong>were targeted.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Don&#8217;t install stuff during job interviews.<\/li>\n\n\n\n<li>Be suspicious of links from recruiters.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4078672\/lazarus-group-targets-european-drone-makers-in-new-espionage-campaign.html\">CSO Online<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">2. Iran-Linked MuddyWater Deploys Phoenix Backdoor in Global Espionage Campaign<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>A new MuddyWater operation<\/strong> used a compromised NordVPN-accessed mailbox to <strong>phish over 100 government and international organizations in MENA<\/strong>.  Opening <strong>weaponized Word attachments<\/strong> and enabling <strong>macros<\/strong> i<strong>nstalled the Phoenix v4 backdoor<\/strong> via a FakeUpdate loader.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>MuddyWater spoofed trusted email correspondence via NordVPN-routed mailbox.<\/li>\n\n\n\n<li><strong>Targets: 75% embassies, foreign affairs ministries, consulates, plus telecoms and NGOs.<\/strong><\/li>\n\n\n\n<li><strong>Attack chain: <\/strong>Word macro dropper \u2192 FakeUpdate loader \u2192 AES-encrypted Phoenix v4 payload.<\/li>\n\n\n\n<li>C2 server (159.198.36[.]115) also hosts RMM tools and custom browser credential stealer.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Block or restrict Office macros by default; <\/strong>allow only via controlled signing.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong> <a href=\"https:\/\/www.group-ib.com\/blog\/muddywater-espionage\/\" target=\"_blank\" rel=\"noopener\" title=\"\">Group IB,<\/a> <a href=\"https:\/\/thehackernews.com\/2025\/10\/iran-linked-muddywater-targets-100.html\">The Hacker News<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">3. GlassWorm Self-Propagates in VS Code Extensions via Invisible Unicode<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Researchers at Koi Security uncovered GlassWorm, a self-propagating worm hidden in VS Code extensions using non-rendering Unicode characters to evade detection.<\/strong> <strong>It leverages the Solana blockchain<\/strong> and <strong>Google Calendar<\/strong> for resilient command-and-control, harvests developer credentials to spread across the supply chain, and turns infected workstations into SOCKS proxies and hidden VNC servers. <strong>Over 35,800 installs are impacted, posing immediate risk for anyone relying on VS Code.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>At least 13 extensions on OpenVSX and one on Microsoft Marketplace infected, downloaded ~35,800 times.<\/strong><\/li>\n\n\n\n<li><strong>Malicious payload concealed with Unicode variation selectors invisible to editors and most scanners.<\/strong><\/li>\n\n\n\n<li>C2 infrastructure spans Solana blockchain transactions, Google Calendar fallback, and BitTorrent DHT.<\/li>\n\n\n\n<li>ZOMBI module deploys SOCKS proxy, hidden VNC, and uses stolen tokens to compromise more packages.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Audit VS Code extensions against Koi\u2019s published IoCs<\/li>\n\n\n\n<li>Revoke and rotate all NPM, GitHub, and VS Code tokens<\/li>\n\n\n\n<li><strong>Established review process for VS Code extensions.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.darkreading.com\/application-security\/self-propagating-glassworm-vs-code-supply-chain\">Dark Reading<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">4. SquareX Warns of AI Sidebar Spoofing via Malicious Extensions<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Security researchers at SquareX have uncovered \u201cAI Sidebar Spoofing\u201d<\/strong>, an attack where malicious browser extensions overlay pixel-perfect <strong>fake AI assistant sidebars<\/strong> (in Comet, Atlas, Edge, Brave, etc.).  \nUnsuspecting users follow attacker-supplied instructions\u2014phishing links to fraudulent login pages or system commands that install reverse shells\u2014believing they come from the genuine AI interface.  \n<strong>Requiring only basic \u201chost\u201d and \u201cstorage\u201d permissions, these extensions can lie dormant until triggered and evade permission-based scans, highlighting the need for runtime extension analysis and browser-native guardrails.  <\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Attack uses JavaScript injection to overlay fake AI sidebars indistinguishable from real ones.<\/strong><\/li>\n\n\n\n<li>Demonstrated in three scenarios: crypto-phishing, OAuth credential theft, reverse-shell installation.<\/li>\n\n\n\n<li>Works on Comet and confirmed against newly released Atlas; <strong>affects any AI sidebar-enabled browser.<\/strong><\/li>\n\n\n\n<li><strong>Malicious extensions stay dormant until a trigger prompt, complicating static permission review.<\/strong><\/li>\n\n\n\n<li>Attack works on both specialized AI browsers (Perplexity AI\u2019s Comet, OpenAI\u2019s Atlas) and mainstream browsers with AI features.<\/li>\n\n\n\n<li><strong>Fake sidebar overlays intercept all user interaction without visual or workflow differences.<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Restrict or vet unapproved sidebar extensions centrally<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/labs.sqrx.com\/ai-sidebar-spoofing-720e0c91d290\">SquareX Technical Blog<\/a>, <a href=\"https:\/\/hackread.com\/ai-sidebar-spoofing-attack-squarex-uncovers-malicious-extensions-that-impersonate-ai-browser-sidebars\/\">HackRead<\/a>, <a href=\"https:\/\/labs.sqrx.com\/ai-sidebar-spoofing-720e0c91d290\">SquareX Technical Blog<\/a>, <a href=\"https:\/\/siliconangle.com\/2025\/10\/23\/squarex-warns-ai-sidebar-spoofing-attacks-targeting-ai-browsers\/\">SiliconAngle<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">5. PhantomCaptcha Spearphishing Delivers RAT to Ukraine Aid Organizations<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>SentinelLABS discovered a tightly orchestrated, single-day cyber operation on October 8, 2025, that targeted the Red Cross, UNICEF, Norwegian Refugee Council, and multiple Ukrainian regional administrations with weaponized PDFs. Victims were lured to a fake Zoom\/Cloudflare captcha page<\/strong> where a <strong>\"Paste and Run\" trick launched a multi-stage WebSocket-based RAT hosted on Russian-linked servers.<\/strong> <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Phishing emails spoofed the Ukrainian President\u2019s Office <\/strong>with an embedded <strong>malicious PDF.<\/strong><\/li>\n\n\n\n<li>Fake Zoom download Domain<strong> led to a counterfeit Cloudflare DDoS-protection page prompting users to paste a \u201ctoken\u201d into Windows Run.<\/strong><\/li>\n\n\n\n<li><strong>Executed PowerShell payload staged three obfuscated scripts<\/strong> culminating in a WebSocket RAT for remote control and data theft.<\/li>\n\n\n\n<li><strong>Infrastructure was active just 24 hours publicly,<\/strong> but backend C2 servers remained online to maintain compromised hosts.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Validate all PDF senders <\/strong>and disable unauthorized script execution.<\/li>\n\n\n\n<li>More phishing training?<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/hackread.com\/phantomcaptcha-rat-attack-targets-ukraine\/\">Hackread.com<\/a>, <a href=\"https:\/\/therecord.media\/phantomcaptcha-spearphishing-campaign-ukraine-war-relief-groups\">The Record<\/a>, <a href=\"https:\/\/www.sentinelone.com\/labs\/phantomcaptcha-multi-stage-websocket-rat-targets-ukraine-in-single-day-spearphishing-operation\/\">SentinelLABS blog<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Smishing Triad\u2019s Global SMS Phishing Campaign Churns Through Nearly 200,000 Domains<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>A China-linked group<\/strong> known as the \"<strong>Smishing Triad<\/strong>\" has <strong>registered over 136,000 root domains<\/strong> (194,000+ FQDNs)<strong> since January 2024<\/strong> <strong>to send fraudulent toll-violation and package-delivery texts worldwide. <\/strong>\n\n<strong>By rapidly rotating domains:<\/strong> 29% live two days or less and 82.6% under two weeks; <strong>and evolving naming patterns (e.g., gov- prefixes, state names)<\/strong>, <strong>attackers evade simple blocks<\/strong> and impersonate services from USPS and DMVs to banks and toll operators.  <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>136,933 root domains and 194,345 FQDNs identified by Unit42 (Jan 2024\u2013Jun 2025).<\/li>\n\n\n\n<li><strong>Top impersonated brand: U.S. Postal Service<\/strong> with 28,045 FQDNs; toll-service lures account for ~90,000 domains.<\/li>\n\n\n\n<li><strong>Very short domain lifespans:<\/strong> 29.19% active \u22642 days, 71.3% \u22641 week, 82.6% \u22642 weeks; &lt;6% survive >3 months.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Implement DNS filtering to block short-lived, high-risk domains.<\/strong><\/li>\n\n\n\n<li>Monitor short-lived domains and flag gov-style prefixes<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/unit42.paloaltonetworks.com\/global-smishing-campaign\/\">Palo Alto Networks Unit42<\/a>, <a href=\"https:\/\/www.darkreading.com\/cyberattacks-data-breaches\/sms-phishing-messages-target-uae-citizens-visitors\">Dark Reading<\/a> #1, <a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/unpaid-toll-texts-smishing-triad\">Dark Reading<\/a> #2<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">7. UN Cybercrime Convention Faces Industry Backlash Over Researcher Risks<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>The UN Convention against Cybercrime, opening for signatures this weekend,is criticized <\/strong>by a coalition of over 100 major tech firms and rights groups <strong>for its broad definitions and surveillance powers that could criminalizelegitimate security research and undermine cyber defense.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cybersecurity Tech Accord members (Arm, Cisco, Meta, Microsoft) <strong>warn treaty\u2019s vague scope risks criminalizing benign online activity<\/strong><\/li>\n\n\n\n<li><strong>Obligates states to criminalize offences punishable by \u22654 years imprisonment, with expansive data-access and surveillance powers<\/strong><\/li>\n\n\n\n<li><strong>No explicit protections for security researchers; <\/strong>critics say treaty reads like a digital surveillance pact<\/li>\n\n\n\n<li>EU has signaled support; treaty enters into force 90 days after 40 ratifications (deadline Dec 31 2026)<\/li>\n\n\n\n<li><strong>About 30\u201336 countries expected to sign; treaty effective after 40 ratifications<\/strong><\/li>\n\n\n\n<li><strong>Establishes a 24\/7 network for cross-border data requests, extraditions, and asset seizures<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4078735\/un-agreement-on-cybercrime-criticized-over-risks-to-cybersecurity-researchers.html\">CSO Online<\/a>, <a href=\"https:\/\/therecord.media\/cybercrime-treaty-signing-hanoi\">The Record<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">8. CryptoChameleon Phishing Uses Fake \u201cLegacy Request\u201d About a Death Certificate to Steal LastPass Credentials<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Scammers linked to the <strong>CryptoChameleon group<\/strong> are <strong>sending LastPass users emails spoofing a \u201clegacy request\u201d that claims a death certificate was uploaded to inherit their vault<\/strong>. The messages and follow-up calls urge recipients to cancel the request via a malicious link\u2014harvesting master passwords and passkeys for cryptocurrency theft. <strong>LastPass warns it never asks for your master password and has published IOCs and URLs to help defenders block the campaign.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Subject line: <\/strong>\u201cLegacy Request Opened (URGENT IF YOU ARE NOT DECEASED)\u201d<\/li>\n\n\n\n<li>Link redirects to attacker-controlled l<strong>ast passr ecovery[.]com phishing site<\/strong><\/li>\n\n\n\n<li>Campaign tied to UNC5356 (CryptoChameleon) and bulletproof host NICENIC<\/li>\n\n\n\n<li>New domains target both master passwords and FIDO2\/WebAuthn passkeys<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reminder to everyone: <strong>LastPass never requests master passwords<\/strong><\/li>\n\n\n\n<li>Enforce phishing-resistant MFA or secret-key login for vault access<\/li>\n\n\n\n<li><strong>Block listed IOCs<\/strong> and monitor for suspicious \u201cLegacy Request\u201d emails<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.csoonline.com\/article\/4079001\/scammers-try-to-trick-lastpass-users-into-giving-up-credentials-by-telling-them-theyre-dead-2.html\">CSO Online<\/a>, <a href=\"https:\/\/blog.lastpass.com\/posts\/possible-cryptochameleon-social-engineering-campaign-targeting-lastpass-customers-and-more\">LastPass Blog<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Major DNS Bug in DynamoDB Automation Sparks 14-Hour AWS US-EAST-1 Outage #itsalwaysDNS<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Amazon\u2019s post-mortem reveals <strong>a latent race condition in DynamoDB\u2019s DNS automationc aused deletion of all IP addresses for the us-east-1 endpoin<\/strong>t, <strong>triggering cascading DNS failures and a 14-hour global outage.<\/strong> <\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A race condition in the DynamoDB DNS management system created an empty DNS record for dynamodb.us-east-1.amazonaws.com at 11:48 PM PDT.<\/li>\n\n\n\n<li>All customer and internal AWS services using that public endpoint experienced immediate DNS lookup failures and timeouts.<\/li>\n\n\n\n<li><strong>Automated recovery routines failed to correct the empty record, necessitating manual intervention to restore IP entries.<\/strong><\/li>\n\n\n\n<li>AWS disabled the flawed DNS automation globally, added protective checks, tightened throttling, and built new test suites to catch similar bugs.<\/li>\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Introduce locking or consensus mechanisms in critical automation workflows.<\/strong><\/li>\n\n\n\n<li>Run manual-override drills for DNS and core service recovery.<\/li>\n\n\n\n<li>Remember, it&#8217;s always DNS<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.bleepingcomputer.com\/news\/technology\/amazon-this-weeks-aws-outage-caused-by-major-dns-failure\/\">BleepingComputer<\/a>, <a href=\"https:\/\/aws.amazon.com\/message\/101925\/\">AWS Service Health Post-Mortem<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Proof-of-Concept &#8220;PromptLock&#8221; Shows Autonomous AI Ransomware<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><strong>Security researchers uncovered \"PromptLock\", the first AI-driven ransomware proof-of-concept that uses large language models to generate unique payloads, choose targets, and craft ransom notes without human intervention.<\/strong><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>PromptLock queries public LLM APIs to analyze file systems and dynamically create Lua scripts.<\/li>\n\n\n\n<li>FunkSec group leverages AI to automate malware coding and attack workflows, hitting 120+ organizations.<\/li>\n\n\n\n<li>BlackMatter variants adapt encryption algorithms in real time and evade signature-based tools.<\/li>\n\n\n\n<li>Average ransomware cost rose 574% over six years to US $5.13 million per incident in 2024.<\/li>\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/cybersecuritynews.com\/ai-powered-ransomware\/\">Cybersecurity News<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n","protected":false},"excerpt":{"rendered":"<p>Summary of latest cybersecurity news from October 2025. <\/p>","protected":false},"author":1,"featured_media":20843,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-20820","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20820","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/comments?post=20820"}],"version-history":[{"count":23,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20820\/revisions"}],"predecessor-version":[{"id":20844,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/20820\/revisions\/20844"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media\/20843"}],"wp:attachment":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media?parent=20820"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/categories?post=20820"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/tags?post=20820"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}