In this week’s news: Ivanti RCE exploit,Oracle E-Business Suite RCE, LLMs Found to Produce Vulnerable Code by Default, HashJack Attack Uses URL ‘#’ to Control AI Browser Behavior, Over 2,000 Fake Shopping Sites Spotted Before Cyber Monday, Popular code formatting sites are exposing credentials and other secrets, Contagious Interview campaign expands with 197 npm packages spreading new OtterCookie malware and Leak confirms OpenAI is preparing ads on ChatGPT for public roll out.

Subscribe to this newsletter

A massive operation involving over 2,000 fake online stores has been found, timed perfectly to steal money and personal details during peak sales like Black Friday and Cyber Monday.
https://hackread.com/fake-shopping-sites-cyber-monday/

CVE-2025-0282 is a critical vulnerability found in Ivanti Connect Secure, allowing Remote Command Execution (RCE) through a buffer overflow exploit.
https://github.com/absholi7ly/CVE-2025-0282-Ivanti-exploit

Law enforcement officers from Switzerland and Germany have taken down the Cryptomixer cryptocurrency-mixing service, believed to have helped cybercriminals launder stolen funds. The joint action was part of "Operation Olympia," and it took place between November 24 and November 28 in Zurich, Switzerland.
https://www.bleepingcomputer.com/news/security/police-takes-down-cryptomixer-cryptocurrency-mixing-service/

The Royal Borough of Kensington and Chelsea (RBKC) has told residents that their data may have been compromised in a cyber-attack on an IT service provider discovered last week. The council, London’s smallest but most densely populated, revealed the news in an update on Friday.
https://www.infosecurity-magazine.com/news/royal-borough-kensington-chelsea/

Some of the world’s most popular large language models (LLMs) are producing insecure code by default, according to a new analysis by Backslash Security. The findings demonstrate the security risks relating to software developers using generative AI tools to create code, particularly using simple, “naïve” prompts. Even prompts that specify general or specific security requirements often result in code containing common vulnerabilities.
https://www.infosecurity-magazine.com/news/llms-vulnerable-code-default/

Cato Networks revealed HashJack, a new threat where the simple pound sign (#) in a web address (URL) hides malicious instructions for AI browser assistants like Google’s Gemini, Microsoft’s Copilot, and Perplexity’s Comet.
https://hackread.com/hashjack-attack-url-control-ai-browser-behavior/

North Korea-linked actors behind Contagious Interview uploaded 197 new malicious npm packages to distribute a new OtterCookie malware version. Attackers pose as recruiters on platforms like LinkedIn and use social engineering tactics, including fake job interviews and trojanized demo projects, to deliver malware. Their payloads commonly include the BeaverTail and OtterCookie infostealers and the InvisibleFerret RAT.
https://securityaffairs.com/185170/apt/contagious-interview-campaign-expands-with-197-npm-ppackages-spreading-new-ottercookie-malware.html

CVE-2025-61882 in Oracle E-Business Suite. This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in remote code execution.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an OpenPLC ScadaBR flaw, tracked as CVE-2021-26829  (CVSS score of 5.4), to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability is a cross-site scripting (XSS) flaw that impacts Windows and Linux versions via system_settings.shtm. The vulnerability impacts OpenPLC ScadaBR through 1.12.4 on Windows and OpenPLC ScadaBR through 0.9.1 on Linux.
https://securityaffairs.com/185185/security/u-s-cisa-adds-an-openplc-scadabr-flaw-to-its-known-exploited-vulnerabilities-catalog.html

Widely used code formatting sites JSONFormatter and CodeBeautify are exposing sensitive credentials, API keys, private keys, configuration files and other secrets, watchTowr researchers discovered.
https://www.helpnetsecurity.com/2025/11/25/code-formatting-sites-exposing-secrets/

Asahi Group Holdings, Japan’s largest beer producer, has finished the investigation into the September cyberattack and found that the incident has impacted up to 1.9 million individuals. The type of data compromised in the attack includes full names, genders, physical addresses, phone numbers, and email addresses, and could be used in phishing attempts.
https://www.bleepingcomputer.com/news/security/japanese-beer-giant-asahi-says-data-breach-hit-15-million-people/

OpenAI is now internally testing 'ads' inside ChatGPT that could redefine the web economy. Up until now, the ChatGPT experience has been completely free. While there are premium plans and models, you don't see GPT sell you products or show ads. On the other hand, Google Search has ads that influence your buying behaviour. OpenAI is planning to replicate a similar experience.
https://www.bleepingcomputer.com/news/artificial-intelligence/leak-confirms-openai-is-preparing-ads-on-chatgpt-for-public-roll-out/

After scanning all 5.6 million public repositories on GitLab Cloud, a security engineer discovered more than 17,000 exposed secrets across over 2,800 unique domains. Luke Marshall used the TruffleHog open-source tool to check the code in the repositories for sensitive credentials like API keys, passwords, and tokens.
https://www.bleepingcomputer.com/news/security/public-gitlab-repositories-exposed-more-than-17-000-secrets/

Threat actors have been found manipulating digital calendar subscription infrastructure to deliver harmful content. Calendar series subscriptions allow third parties to add events and share notifications directly to devices. For instance, retailers sharing sale dates or sports associations updating calendar of sports matches. 
https://www.infosecurity-magazine.com/news/threat-actors-exploit-calendar-subs/