Daily Drop (1277)
04-13-26
Monday, Apr 13, 2026 // (IG): BB // Ghostwire
China Targets GitHub Leaks with Federated AI Scanner: Data Spill Detection Goes Autonomous
Bottom Line Up Front (BLUF): China Mobile has patented a distributed, AI-driven system designed to scan GitHub for sensitive data leaks using federated learning. The platform aims to detect and contain exposed credentials, internal identifiers, and potentially classified information in near real time—highlighting Beijing’s growing focus on controlling data exposure beyond its traditional network boundaries.
Analyst Comments: The federated learning angle is the interesting piece. Instead of static detection rules, the system continuously learns from discovered leaks, improving accuracy over time across distributed nodes. That’s efficient—and potentially powerful if extended beyond simple credentials into broader “sensitive identifiers.” There’s also a dual-use reality here. A system designed to detect leaks can just as easily map exposed attack surfaces. At scale, this becomes less of a defensive tool and more of an intelligence collection platform. Given the state linkage, it’s reasonable to assume both use cases are on the table.
READ THE STORY: NetAskari
China Supercomputer Breach Alleged: 10PB Data Theft Raises Major Intelligence Concerns
Bottom Line Up Front (BLUF): A threat actor claims to have exfiltrated over 10 petabytes of sensitive data—including defense research and missile schematics—from China’s National Supercomputing Center in Tianjin. If validated, this would rank among the largest data breaches globally, with significant intelligence value for nation-state actors and minimal evidence of sophisticated tradecraft required to pull it off.
Analyst Comments: A hacker operating under the alias “FlamingChina” is reportedly selling a massive dataset allegedly stolen from China’s National Supercomputing Center (NSCC) in Tianjin. The data—sampled and shared via Telegram—appears to include classified documents, aerospace research, bioinformatics data, and simulations related to military systems. Cybersecurity researchers who reviewed the samples suggest the data is likely authentic, with markings indicating classified Chinese government material. The NSCC serves over 6,000 organizations, including defense and research institutions, making it a high-value centralized target.
READ THE STORY: AOL
Fake Secure Messaging Apps Deliver ProSpy Spyware in Middle East Espionage Campaign
Bottom Line Up Front (BLUF): A targeted espionage campaign linked to BITTER APT is distributing Android spyware (ProSpy) via fake “secure messaging” apps, including trojanized versions of Signal and ToTok. The operation relies on social engineering and off-store APK installs to compromise journalists, activists, and political figures across the Middle East.
Analyst Comments: These links lead to phishing pages or fake download sites hosting ProSpy-infected APKs. The malware masquerades as enhanced versions of legitimate apps (e.g., “Signal Encryption Plugin,” “ToTok Pro”) and is distributed via deceptive domains designed to look official. Once installed, it requests extensive permissions and operates as a full-featured spyware implant. ProSpy exfiltrates contacts, SMS, call logs, device data, and files—including chat backups—using a modular architecture that assigns collection tasks via command-and-control endpoints. Infrastructure and tooling overlap with prior BITTER APT operations, though targeting patterns suggest a possible hack-for-hire model.
READ THE STORY: GBhackers
OSINT Tools Target VK Profiles: Open-Source Intelligence Lowers Barrier to Social Media Recon
Bottom Line Up Front (BLUF): A Habr tutorial highlights how widely available OSINT tools can extract, correlate, and analyze VK (VKontakte) user data—even from heavily restricted profiles. By combining facial recognition, archive scraping, username tracking, and activity monitoring, investigators can build detailed user profiles from publicly accessible data, reinforcing both the power and risk of open-source intelligence.
Analyst Comments: None of this is “new,” but the accessibility is the real story. What used to require time, skill, and fragmented tooling is now packaged into turnkey workflows. Tools like Search4faces and 220vk push OSINT closer to quasi-deanonymization, especially when users reuse photos, usernames, or behavioral patterns across platforms. The uncomfortable reality: privacy settings don’t equal privacy. Most of these techniques rely on data users exposed elsewhere or earlier. For defenders, this reinforces a familiar problem—data exhaust is persistent and cumulative. Expect these tools to show up not just in investigations, but in social engineering prep, insider threat profiling, and fraud campaigns.
READ THE STORY: Habr
Pegasus Spyware Resurfaces in Iran Targeting Claims: NSO Tool Linked to Intelligence Operations
Bottom Line Up Front (BLUF): Reports claim Pegasus spyware—developed by Israel’s NSO Group—was used in operations targeting Iranian leadership devices, allegedly involving U.S. intelligence. Pegasus remains one of the most advanced mobile surveillance tools, capable of zero-click compromise, full device access, and persistent monitoring, reinforcing its role in high-end state espionage.
Analyst Comments: Pegasus is a sophisticated spyware platform developed by NSO Group, designed to infiltrate smartphones and extract sensitive data, including messages, calls, and real-time audio/video. It can be deployed using zero-click exploits, requiring no interaction from the target. According to reports, the spyware has allegedly been used in operations targeting Iranian leadership devices, with claims linking its use to intelligence activity involving the CIA. Once installed, Pegasus grants near-total control over the device, enabling surveillance, data exfiltration, and persistent monitoring. Its use has previously been documented in investigations involving governments targeting journalists, activists, and political figures worldwide.
READ THE STORY: Times of India
Compromised Axios Package Forces macOS Signing Certificate Rotation
Bottom Line Up Front (BLUF): OpenAI revoked and rotated its macOS app signing certificate after a compromised Axios npm package was executed within its CI/CD pipeline. While no evidence of data theft or certificate exfiltration was found, the move reflects a defensive response to a broader supply chain campaign tied to North Korean-linked actors and highlights systemic risk in developer pipelines.
Analyst Comments: The real issue isn’t Axios—it’s CI/CD trust. A GitHub Actions workflow pulled a poisoned dependency, and that workflow had access to signing infrastructure. That’s the nightmare scenario defenders keep talking about: build pipelines as the new perimeter. Also worth paying attention to the broader campaign. This wasn’t a one-off. The same actor set pivoted across npm, PyPI, GitHub Actions, and security tooling (Trivy), targeting anything with elevated privileges or wide integration. That’s deliberate targeting of trust anchors in the ecosystem.
READ THE STORY: THN
Apache Tomcat Flaws Enable Encryption Bypass and Authentication Weakness
Bottom Line Up Front (BLUF): Multiple vulnerabilities in Apache Tomcat allow attackers to bypass encryption protections, exploit a flawed patch, and potentially circumvent client certificate authentication. Given Tomcat’s widespread enterprise use, unpatched systems are exposed to traffic decryption, session manipulation, and unauthorized access.
Analyst Comments: This is a classic cascade failure: crypto weakness → rushed patch → patch introduces a bypass. That sequence matters more than any single CVE. It shows how fragile security controls become when fixes aren’t fully validated under real-world conditions. The padding oracle (CVE-2026-29146) is the real foothold. Once you expose CBC in this way, attackers can gradually decrypt and tamper with session data. The follow-on bypass (CVE-2026-34486) makes things worse by effectively nullifying the intended mitigation—so even patched systems may still be exposed if they landed on the wrong version.
READ THE STORY: GBhackers
Intoxalock Outage: Cyberattack Disrupts Vehicle Breathalyzers, Strands Thousands of Drivers
Bottom Line Up Front (BLUF): A cyberattack against Intoxalock disrupted backend systems supporting ignition interlock devices, preventing thousands of drivers from starting their vehicles for days. While no data theft or ransom demand has been reported, the incident highlights how availability failures in cyber-physical systems can translate directly into real-world disruption.
Analyst Comments: Reports indicate the disruption was caused by a server-flooding attack (likely DDoS), which took down the centralized infrastructure required for device calibration. No calibration, no ignition. That’s a design problem. The bigger issue is architectural: these devices rely on continuous backend availability, creating a single point of failure. When that backend goes down, it doesn’t degrade service—it immobilizes users entirely. That’s a high-impact outcome for what appears to be a relatively low-complexity attack.
READ THE STORY: Security Boulevard
Items of interest
Project Glasswing Launches to Counter AI-Driven Surge in Zero-Day Vulnerabilities
Bottom Line Up Front (BLUF): Major tech firms have launched Project Glasswing to defend against a new class of AI-driven cyber threats after Anthropic’s Claude Mythos model demonstrated the ability to autonomously discover and exploit thousands of critical vulnerabilities across core software systems.
Analyst Comments: The headline isn’t that AI can find bugs. It’s that it can do it autonomously, at scale, and faster than humans can respond. When a model can discover zero-days across operating systems, browsers, and cryptographic libraries—many decades old—you’re no longer dealing with incremental improvement. This is a step-change. The collapse of the vulnerability lifecycle is the real risk. Discovery → exploitation used to take months. Now it can happen in minutes. That compresses defender timelines to near zero. Glasswing is essentially a containment strategy. Keep the capability in a controlled ecosystem, let trusted players burn down vulnerabilities defensively, and buy time before this becomes widely accessible.
READ THE STORY: Anthropic
An AI Just Discovered 22 Critical Bugs in Firefox… Cybersecurity Is About to Get Weird (Video)
FROM THE MEDIA: Artificial intelligence is starting to change cybersecurity in ways few people expected.
Cybersecurity, AI & the New Arms Race | Global Power & Digital Warfare (Video)
FROM THE MEDIA: This is a competition for technological dominance, digital control, and strategic advantage.
The selected stories cover a broad range of cyber threats and are intended to help readers frame key publicly discussed threats and improve overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, don't hesitate to get in touch with InfoDom Securities at dominanceinformation@gmail.com.