SecurityWeek’s weekly cybersecurity news roundup offers a concise overview of important developments that may not receive full standalone coverage but remain relevant to the broader threat landscape.
This curated summary highlights key stories across vulnerability disclosures, emerging attack methods, policy updates, industry reports, and other noteworthy events to help readers maintain a well-rounded awareness of the evolving cybersecurity environment.
Here are this week’s highlights:
10-year-old phpBB flaw enables session hijacking
Researchers uncovered a critical authentication bypass in phpBB versions up to 3.3.16 and 4.0.0-a2. A single unauthenticated HTTP request can impersonate any user, including admins, exposing private messages and forum content, and providing full administrative control. phpBB users should upgrade immediately to 3.3.17 or the latest master branch. The issue, reported via HackerOne, received a patch within days, but thousands of active forums remain exposed.
Velvet Ant maintained decade-long stealth in air-gapped critical infrastructure
China-nexus actor Velvet Ant compromised an organization’s segregated network starting around 2016. It chained internet-facing footholds, Nginx/FastCGI proxies, and backdoored PAM/OpenSSH components for credential theft and persistent access. The group deployed variants of GS-Netcat, SOCKS5 proxies, and nine pam_unix.so backdoors across hosts. Remediation proved complex.
MaXSS and Spyder flaws expose 10 million Chrome users to hacking
Critical vulnerabilities in SiderAI (Spyder) and MaxAI (MaXSS) agentic side-panel Chrome extensions can allow malicious websites to trigger arbitrary extension actions, including hidden tab screenshots, AI memory dumps, and potential file access. With over 10 million combined installs and no vendor response, the issues enable full browser session compromise and account takeovers without user interaction. Users should remove the extensions until fixed.
AWS unveils Continuum
AWS has announced a new AI-powered tool designed to help organizations discover, prioritize, validate, and resolve vulnerabilities. Available in gated preview, Continuum takes findings from existing tools and its own scanning, prioritizing them based on exploitability in the user’s own environment.
1.2 million WordPress sites compromised in OptinMonster supply chain attack
Attackers injected malicious JavaScript into Awesome Motive’s OptinMonster, TrustPulse, and PushEngage WordPress plugin CDN scripts. The payload activates for logged-in admins, creating rogue administrator accounts and a hidden backdoor plugin. The breach stemmed from a compromised UpdraftPlus instance and CDN key. The supply chain attack is believed to have hit more than 1.2 million WordPress sites.
FTC says imposter scams cost Americans $3.5 billion in 2025
The FTC reported imposter scams as the most common fraud category, with losses nearly tripling since 2020. Bank and government impersonation schemes drove the bulk of the damage, often via fake security alerts urging money transfers. Overall fraud losses hit a record $16 billion. The agency continues enforcement under its Impersonation Rule and supports public awareness campaigns.
US DOT closes investigation into Delta’s 2024 CrowdStrike outage response
The Department of Transportation ended its probe into Delta’s prolonged recovery from the global CrowdStrike incident without penalties. Investigators found the airline provided adequate refunds, baggage help, and support for passengers with disabilities. This aligns with the current administration’s shift away from certain Biden-era consumer protection enforcement approaches.
JetBrains Marketplace plugins steal developer AI keys
At least 15 malicious AI coding assistant plugins, published in the JetBrains Marketplace under various vendor accounts, exfiltrate OpenAI, DeepSeek, and similar API keys. The plugins have racked up nearly 70,000 installs while functioning as advertised. Keys are sent in plaintext to a hardcoded attacker server. The plugins also appear to resell stolen access to paying users.
Apple releases Beats firmware fixing unauthenticated mic access
Beats Studio Buds firmware update 1B211 patches CVE-2025-20701, which allowed nearby attackers to listen via the microphone on unpaired devices actively seeking connections. Updates apply automatically when paired with Apple devices. CVE-2025-20701 is one of three Bluetooth security issues disclosed last year, which have been found to impact devices from several major vendors.
Popa botnet tied to Israeli proxy provider
Researchers linked the large Popa Android TV box botnet — used for residential proxy traffic in ad fraud and scraping — to NetNut, operated by publicly traded Israeli company Alarum Technologies. Researchers said an SDK turns compromised streaming devices into persistent proxies. The operation involves millions of IPs daily and raises concerns about local network exposure and ties to data scraping. NetNut and Alarum have disputed the allegations calling them “demonstrably inaccurate assertions and flawed deductions rather than verified facts.”
GCP Config Connector enables org-wide IAM owner takeover
A confused deputy vulnerability in Config Connector lets any Kubernetes namespace user escalate to GCP Organization Owner by submitting a malicious IAMPolicyMember. Google acknowledged the issue internally as P1/S1 but later classified it as “working as intended” and left it unpatched. The bypass affects organizations using the service for organization-level management.
ShinyHunters leaks Knicks and MSG talent and customer data
Hackers published Madison Square Garden data, including details on Knicks-related “talent” (players, coaches, celebrities) with risk assessments, addresses, and contact info, along with customer correspondence. The dump follows a June 5 breach. ShinyHunters continues its pattern of public leaks to pressure victims.
Related: In Other News: Google Security Layoffs, AudiA6 Takedown, $400 Million Coupang Fine
Related: In Other News: Anthropic Maps AI Threats, Unpatched Comodo Flaw, Palantir Chief Eyed for CISA
