The Breach News

GitLab Duo Vulnerability Allowed Attackers to Manipulate AI Responses via Hidden Prompts

May 23, 2025
Artificial Intelligence / Cybersecurity Threats

Cybersecurity researchers have identified a critical indirect prompt injection vulnerability in GitLab’s AI assistant, Duo. This flaw could potentially allow malicious actors to access source code and inject untrusted HTML into the AI’s responses, redirecting users to harmful websites. GitLab Duo, an AI-driven coding assistant launched in June 2023 and built on Anthropic’s Claude models, has been shown to be vulnerable. According to findings from Legit Security, this weakness enables attackers to steal code from private projects, alter code suggestions for other users, and even exfiltrate sensitive undisclosed zero-day vulnerabilities. Prompt injection is a known class of vulnerabilities within AI systems, allowing threat actors to exploit large language models (LLMs) to manipulate user interactions.

GitLab Duo Vulnerability Exposes Users to Potential Code Hijacking and Malware Risks May 23, 2025 | Cybersecurity Insights Cybersecurity experts have recently identified a significant security vulnerability in GitLab’s AI coding assistant, Duo. This flaw involves indirect prompt injection, which could potentially enable malicious actors to access confidential source code…

Read More

GitLab Duo Vulnerability Allowed Attackers to Manipulate AI Responses via Hidden Prompts

May 23, 2025
Artificial Intelligence / Cybersecurity Threats

Cybersecurity researchers have identified a critical indirect prompt injection vulnerability in GitLab’s AI assistant, Duo. This flaw could potentially allow malicious actors to access source code and inject untrusted HTML into the AI’s responses, redirecting users to harmful websites. GitLab Duo, an AI-driven coding assistant launched in June 2023 and built on Anthropic’s Claude models, has been shown to be vulnerable. According to findings from Legit Security, this weakness enables attackers to steal code from private projects, alter code suggestions for other users, and even exfiltrate sensitive undisclosed zero-day vulnerabilities. Prompt injection is a known class of vulnerabilities within AI systems, allowing threat actors to exploit large language models (LLMs) to manipulate user interactions.

XDigo Malware Exploits Windows LNK Vulnerability in Eastern European Government Attacks

On June 23, 2025, cybersecurity researchers unveiled XDigo, a Go-based malware utilized in attacks against Eastern European government entities in March 2025. The cyber espionage campaign, known as XDSpy, has been targeting government agencies in Eastern Europe and the Balkans since 2011, with its origins traced back to early documentation by the Belarusian CERT in 2020. Recent years have seen numerous campaigns aimed at organizations in Russia and Moldova, deploying malware families such as UTask, XDDown, and DSDownloader to retrieve sensitive data from compromised systems. HarfangLab reported that the threat actor exploited a remote code execution vulnerability in Microsoft Windows, triggered by specially crafted LNK files, as part of a multi-stage attack approach.

XDigo Malware Exploits Windows LNK Vulnerability in Eastern European Government Attacks Cybersecurity analysts have identified a Go-based malware, designated XDigo, that has recently been employed in targeted cyberattacks against governmental entities in Eastern Europe. According to French cybersecurity firm HarfangLab, these attacks were particularly concentrated in March 2025 and utilized…

Read More

XDigo Malware Exploits Windows LNK Vulnerability in Eastern European Government Attacks

On June 23, 2025, cybersecurity researchers unveiled XDigo, a Go-based malware utilized in attacks against Eastern European government entities in March 2025. The cyber espionage campaign, known as XDSpy, has been targeting government agencies in Eastern Europe and the Balkans since 2011, with its origins traced back to early documentation by the Belarusian CERT in 2020. Recent years have seen numerous campaigns aimed at organizations in Russia and Moldova, deploying malware families such as UTask, XDDown, and DSDownloader to retrieve sensitive data from compromised systems. HarfangLab reported that the threat actor exploited a remote code execution vulnerability in Microsoft Windows, triggered by specially crafted LNK files, as part of a multi-stage attack approach.

From Awareness to Implementation: Cultivating Enduring Cybersecurity Practices

For insights on enhancing your organization’s cybersecurity measures, consider exploring Security Awareness Programs & Computer-Based Training and Training & Security Leadership. Authored by Brandy Harris • August 15, 2025 Every October, companies reexamine their cybersecurity protocols, reiterating that “Security is everyone’s responsibility.” Despite these efforts, the prevalence of security incidents…

Read MoreFrom Awareness to Implementation: Cultivating Enduring Cybersecurity Practices

CISA Alerts on Potential Widespread SaaS Attacks Targeting App Secrets and Cloud Misconfigurations

May 23, 2025
Cloud Security / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that Commvault is actively monitoring cyber threats aimed at applications hosted in their Microsoft Azure environment. According to the agency, “Threat actors may have accessed client secrets for Commvault’s (Metallic) Microsoft 365 (M365) backup SaaS solution in Azure.” This breach potentially granted unauthorized access to Commvault’s customers’ M365 environments, where application secrets are stored. CISA further indicated that this activity might be part of a larger campaign targeting various SaaS providers’ cloud infrastructures that utilize default configurations and elevated permissions. This advisory follows Commvault’s recent revelation that Microsoft alerted the company in February 2025 about unauthorized activity from a nation-state threat actor within its Azure environment. The incident prompted…

CISA Issues Warning on Potential Widespread SaaS Attacks Targeting Application Secrets and Cloud Misconfigurations On May 23, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an important advisory concerning emerging cyber threats affecting applications running in cloud environments, specifically highlighting the ongoing monitoring efforts by Commvault. This alert…

Read More

CISA Alerts on Potential Widespread SaaS Attacks Targeting App Secrets and Cloud Misconfigurations

May 23, 2025
Cloud Security / Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that Commvault is actively monitoring cyber threats aimed at applications hosted in their Microsoft Azure environment. According to the agency, “Threat actors may have accessed client secrets for Commvault’s (Metallic) Microsoft 365 (M365) backup SaaS solution in Azure.” This breach potentially granted unauthorized access to Commvault’s customers’ M365 environments, where application secrets are stored. CISA further indicated that this activity might be part of a larger campaign targeting various SaaS providers’ cloud infrastructures that utilize default configurations and elevated permissions. This advisory follows Commvault’s recent revelation that Microsoft alerted the company in February 2025 about unauthorized activity from a nation-state threat actor within its Azure environment. The incident prompted…

Customers may receive up to $7,500 from AT&T data breach settlement.

AT&T customers may be entitled to financial compensation following a significant settlement of $177 million stemming from two data breaches that compromised sensitive information. These breaches occurred in March and July of the previous year, exposing critical personal data, including Social Security numbers and phone numbers, of millions of both…

Read MoreCustomers may receive up to $7,500 from AT&T data breach settlement.

Citrix Bleed 2 Vulnerability Allows Token Theft; SAP GUI Flaws Threaten Sensitive Data Security

June 25, 2025
Data Privacy / Vulnerability

Cybersecurity experts have unveiled two recently patched vulnerabilities in the SAP Graphical User Interface (GUI) for Windows and Java, which could allow attackers to access sensitive information if exploited. The vulnerabilities, identified as CVE-2025-0055 and CVE-2025-0056 (CVSS scores: 6.0), were addressed in SAP’s January 2025 monthly update. According to Pathlock researcher Jonathan Stross, the research revealed that the SAP GUI input history is insecurely stored in both Java and Windows versions. This input history feature is designed to help users quickly access previously entered data, storing it locally on devices. However, this can include sensitive information such as usernames, national IDs, social security numbers (SSNs), bank account numbers, and internal SAP table names. The vulnerabilities highlighted by Pathlock stem from these insecure storage methods.

Citrix Bleed 2 Vulnerability Facilitates Token Theft; SAP GUI Flaws Compromise Sensitive Data Security June 25, 2025 In recent cybersecurity findings, researchers outlined two significant vulnerabilities in the SAP Graphical User Interface (GUI) for both Windows and Java platforms. These security flaws, designated as CVE-2025-0055 and CVE-2025-0056 and each rated…

Read More

Citrix Bleed 2 Vulnerability Allows Token Theft; SAP GUI Flaws Threaten Sensitive Data Security

June 25, 2025
Data Privacy / Vulnerability

Cybersecurity experts have unveiled two recently patched vulnerabilities in the SAP Graphical User Interface (GUI) for Windows and Java, which could allow attackers to access sensitive information if exploited. The vulnerabilities, identified as CVE-2025-0055 and CVE-2025-0056 (CVSS scores: 6.0), were addressed in SAP’s January 2025 monthly update. According to Pathlock researcher Jonathan Stross, the research revealed that the SAP GUI input history is insecurely stored in both Java and Windows versions. This input history feature is designed to help users quickly access previously entered data, storing it locally on devices. However, this can include sensitive information such as usernames, national IDs, social security numbers (SSNs), bank account numbers, and internal SAP table names. The vulnerabilities highlighted by Pathlock stem from these insecure storage methods.

Microsoft Alerts U.S. Healthcare Sector About New INC Ransomware Threat

September 19, 2024
Healthcare / Malware

Microsoft has reported that a financially motivated threat actor is utilizing a ransomware strain known as INC for the first time to specifically target the U.S. healthcare sector. The company’s threat intelligence team, tracking this activity under the name Vanilla Tempest (formerly DEV-0832), noted, “Vanilla Tempest is connected to GootLoader infections orchestrated by the threat actor Storm-0494, and employs tools such as the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) software, and MEGA for data synchronization.” Following this, attackers execute lateral movements using Remote Desktop Protocol (RDP) and deploy the INC ransomware payload via Windows Management Instrumentation (WMI) Provider Host. Microsoft revealed that Vanilla Tempest has been operational since at least July 2022, with previous targets including the education, healthcare, IT, and manufacturing sectors.

Microsoft Alerts Healthcare Sector to Emerging INC Ransomware Threat On September 19, 2024, Microsoft issued a warning regarding a new ransomware variant named INC, which has been identified as a potential threat to the U.S. healthcare sector. This alarming development comes in the wake of the company’s threat intelligence team,…

Read More

Microsoft Alerts U.S. Healthcare Sector About New INC Ransomware Threat

September 19, 2024
Healthcare / Malware

Microsoft has reported that a financially motivated threat actor is utilizing a ransomware strain known as INC for the first time to specifically target the U.S. healthcare sector. The company’s threat intelligence team, tracking this activity under the name Vanilla Tempest (formerly DEV-0832), noted, “Vanilla Tempest is connected to GootLoader infections orchestrated by the threat actor Storm-0494, and employs tools such as the Supper backdoor, the legitimate AnyDesk remote monitoring and management (RMM) software, and MEGA for data synchronization.” Following this, attackers execute lateral movements using Remote Desktop Protocol (RDP) and deploy the INC ransomware payload via Windows Management Instrumentation (WMI) Provider Host. Microsoft revealed that Vanilla Tempest has been operational since at least July 2022, with previous targets including the education, healthcare, IT, and manufacturing sectors.

How Vulnerabilities in OT Devices Can Endanger Hospital Operations

Recent warnings from U.S. federal authorities concerning vulnerabilities in critical operational technology devices highlight significant security risks often overlooked by healthcare organizations. Sila Özeren, a security research engineer at Picus Security, emphasized these concerns in a recent discussion. The Cybersecurity Infrastructure and Security Agency (CISA) has issued two important alerts…

Read MoreHow Vulnerabilities in OT Devices Can Endanger Hospital Operations