Subscribe
Share
Share
Embed
The BCM Daily Cyber News brings you clear, timely updates on threats, breaches, patches, and trends every day. Stay informed in minutes with focused audio built for busy professionals. Learn more and explore at BareMetalCyber.com.
This is today’s cyber news for October 31st, 2025. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news.
A polished board invitation on LinkedIn has become the perfect lure, and it is quietly prying open Microsoft logins at finance desks. Targets include chief financial officers and treasury teams who regularly review meeting packets, where the fake portals mirror familiar sign-in pages down to calendar language and file names. The ruse forwards victims to look-alike sites that capture passwords and multi factor authentication, M F A, codes, then sets silent inbox rules to hide follow-up fraud. Response teams are unwinding those rules, revoking Open Authorization, O A U T H, grants, and tracing where stolen sessions let criminals stage wire-transfer changes.
A single crafted link is enough to crash Chromium browsers, and that simple trigger can clobber a day’s work across a call floor. Help desks saw tabs reopen and relaunch in loops on Google Chrome and Microsoft Edge, with kiosk screens and point-of-sale consoles trapped until someone killed the page. The underlying rendering issue makes disruption easy to mass send—through email previews, chat snippets, or QR codes that auto open—and even a glance at a preview pane may be enough to topple the process. Vendors have shipped fixes and tightened filters, but large fleets that update in rings will feel the drag until every ring catches up.
Investigators traced more than seven hundred Android apps that abuse near field communication, N F C, turning phone taps into remote relays for thieves. The impostors pose as wallets, transit helpers, and rebate scanners to win permissions, then forward tap-to-pay signals to off-device hardware that completes fraudulent charges. Because the relay mimics a normal contactless interaction and needs no rooting, many protections never trigger, and a shopper’s daily routine becomes the cover. Platforms are pulling the worst offenders while banks tune fraud engines, yet bring-your-own-device programs and unmanaged phones remain soft targets.
Federal agencies just got a deadline from the Cybersecurity and Infrastructure Security Agency, C I S A, to fix a VMware Tools privilege flaw already in the wild. The weakness lets a user inside one virtual machine, V M, pry for higher access and then move laterally through a virtualization estate that many teams consider safe plumbing. Investigators linked recent activity to China-nexus operators, and the real worry is older templates and golden images that quietly reintroduce the bug even after a patch. Agencies are pushing updated builds, attesting versions at scale, and tightening east-west traffic near management networks.
Investigators say a year-long breach at Ribbon Communications went unnoticed inside a major telecom supplier. The company provides core call routing and signaling software used by carriers and public-sector networks across several regions. Intruders piggybacked on trusted support connections and stolen credentials, moving quietly so routine service traffic masked their lateral steps. Containment is underway as keys rotate, access is re-issued, and partners receive tailored notifications.
In new filings, the Federal Communications Commission, F C C, advanced a proposal that would pare back several cybersecurity requirements for carriers. The measure shifts emphasis from prescriptive rules toward market incentives and voluntary frameworks across incident reporting and resilience. Supporters frame it as reducing compliance drag, while critics warn that looser oversight could quiet coordinated defense and transparency. A public comment period and future commission votes will decide the outcome.
Overnight, Windows Server Update Services, W S U S, became the focus of emergency checks after active exploitation surfaced. Administrators reported signs of tampered approvals and unexpected update behavior as the flaw let attackers push code or bypass policy during patch distribution. Root cause analysis pointed to a weakness in how update metadata and trust boundaries were enforced, which attackers pried open during routine cycles. Microsoft released fixes and guidance, and enterprises are re-baselining configurations before resuming normal syncs.
After testing, researchers detailed how misconfigured Redis instances can be bent into interactive shells on the host. The RediShell technique abuses legitimate features to write keys or load modules, then executes commands that blend with everyday cache activity. Internet scans counted thousands of reachable targets in cloud and data center networks, and botnets quickly siphoned compute for mining and footholds. Maintainers and major cloud platforms published hardening steps and visibility tips.
Vendors confirmed a coordinated wave of malicious packages on the Node Package Manager, N P M, registry designed to steal developer secrets. Attackers used typosquatting and dependency confusion so build systems would fetch poisoned versions that looked legitimate. Post-install scripts quietly siphoned GitHub tokens and environment values, often firing only in continuous integration, C I, where local tests would never see them. Takedowns are in progress as projects audit dependency trees and reset credentials.
After testing, investigators uncovered rogue extensions in Visual Studio Code, V S Code, that quietly siphoned source code and cloud keys. The add-ons posed as linters and helpers, then fetched second-stage scripts that scraped environment variables and repository tokens where developers would not notice. Several only triggered inside continuous integration, C I, pipelines, so desktop checks looked clean while build servers leaked the crown jewels. Marketplace takedowns began as teams froze extension updates and rotated access.
Conduent disclosed that a 2024 incident exposed data tied to roughly ten and a half million people. Records varied by program, but contact details, identifiers, and some benefit or claims fields were included across multiple states. The breach pried open a vendor hub that sits at the heart of citizen service workflows, drawing scrutiny from regulators and attorneys general. Notifications, credit-monitoring offers, and coordinated containment are now underway.
Dentsu confirmed a cyber incident at its Merkle unit that touched employee and client information. Investigators traced access to internal repositories used for campaign operations and file sharing, which could help attackers forge convincing brand lures. Business continuity plans kept core services running, but clients are asking for deletion attestations and fresh data-sharing maps. Scope refinement and attribution continue while takedowns and credential rotations proceed.
Researchers detailed “Airstalk,” a malware family that hides command and control, C and C, inside VMware Workspace ONE device-management traffic. The implant registers like a compliant endpoint, then piggybacks on policy and script channels to receive tasks and exfiltrate data. Because traffic lands on trusted management servers, many perimeter tools stay quiet and let the flow pass. Response playbooks now call for named admin accounts, tighter approvals, and re-enrollment of high-risk devices.
A new paper showed agent-aware cloaking that feeds automated A I crawlers fake pages while humans see something else. The trick detects bots, swaps in alternate facts or links, and can poison retrieval-augmented systems with confident falsehoods. Growth hackers and fraud crews are already experimenting, aiming to steer competitors or hide abusive content from moderation. Governance teams are adding provenance checks and comparing human versus agent snapshots to spot divergence.
Administrators saw the same old story with a sharper edge as the Cybersecurity and Infrastructure Security Agency, C I S A, pushed fresh guidance for Microsoft Exchange. Investigations tied recent intrusions to weak legacy protocols and unsupported servers that lingered as migration crutches. The root cause is simple: outdated authentication and exposed paths let attackers pivot from email into identity and domain control. Teams are enforcing modern authentication, isolating holdovers, and setting firm decommission dates.
Investigators say WordPress ecommerce sites running WooCommerce suffered a quiet wave of credit-card skimming through malicious plugins. Infections planted hidden admins, altered checkout templates, and siphoned payment fields to attacker domains during real transactions. The scheme spread through nulled themes and cracked add-ons that promised convenience but delivered theft. Store owners are freezing plugin changes, restoring clean templates, and rotating keys before reopening checkout.
A leaked briefing circulated with model lists suggesting certain Google Pixel devices are susceptible to Cellebrite forensic unlocking under specific conditions. The disclosure mapped success rates to firmware levels and lock settings, putting travel and executive handling policies in the spotlight. The root lesson is that even brief physical access can enable extraction when patches and protections lag. Enterprises are enforcing current security updates, stronger screen locks, and lockdown modes for at-risk trips.
That’s the BareMetalCyber Daily Brief for October 31st, 2025. For more, visit Bare Metal Cyber dot com. You can also subscribe to the newsletter and view the archive of previous headlines at daily cyber dot news. We’re back monday.