Former defense firm GM pleads guilty to selling cyber exploits to Russian broker

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Peter Williams, the former general manager at defense contractor L3Harris, has pleaded guilty to selling surveillance technology to a Russian broker that buys “cyber tools,” the US Department of Justice said.

“The material, stolen over a three-year period from the US defense contractor where he worked, was comprised of national-security focused software that included at least eight sensitive and protected cyber-exploit components,” read the DOJ’s press release on Wednesday. “Those components were meant to be sold exclusively to the US government and select allies.”

TechCrunch previously exclusively reported, citing four former Trenchant employees, that the company was investigating a leak of its hacking tools. Prosecutors now say Williams exploited his access to the company’s “secure network to steal the cyber exploit components.”

Williams headed Trenchant, the division at L3Harris that develops spyware, exploits, and zero-days — security vulnerabilities in software that are unknown to its maker. Trenchant sells its surveillance tech to government customers in Australia, Canada, New Zealand, the United States, and the United Kingdom, the so-called Five Eyes intelligence alliance. Trenchant was founded after L3Harris in 2019 acquired two Australian sister startups, Azimuth and Linchpin Labs, which developed and sold zero-days to the Five Eyes alliance of countries.

The DOJ said Williams, a 39-year-old Australian citizen who resides in Washington, DC, sold exploits to the unnamed Russian broker, who promised Williams millions of dollars in cryptocurrency in exchange. The former Trenchant general manager allegedly signed contracts with the broker that stipulated an initial payment for the exploits, and periodic payments “for follow-on” support. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Bloomberg, UPI, CyberScoop, US Department of Justice, TechCrunch, iTnews, CNN, Wired, ABC, Townhall, Information Age, Reuters, Sydney Morning Herald, Reddit cybersecurity, CNN

Hackers working for an unnamed nation-state breached networks at Ribbon Communications, a key US telecommunications services company, and remained within the firm’s systems for nearly a year without being detected, the company said in an SEC filing.

Ribbon did not identify the nation-state actor or disclose which of its customers were affected by the breach, but said that its investigation has so far revealed three “smaller customers” impacted.

“While we do not have evidence at this time that would indicate the threat actor gained access to any material information, we continue to work with our third-party experts to confirm this,” a Ribbon spokesperson said in an email. “We have also taken steps to further harden our network to prevent any future incidents.”

The company reported to the SEC that “several customer files saved outside of the main network on two laptops do appear to have been accessed by the threat actor.” The spokesperson declined to elaborate on “customer files” but said there were a total of four “older files.”

There is no evidence to date that the incident would give hackers access to customer systems, and the company was not aware of any government customers being impacted, a spokesperson said. (A.J. Vicens / Reuters)

Related: SEC, The Hindu, Modern Diplomacy, The Register

Over half a dozen federal departments and agencies backed a proposal to ban future sales of TP-Link routers in the United States because the vendor’s ties to mainland China make them a national security risk, according to sources briefed on the matter and a communication reviewed.

The proposal, which arose from a months-long risk assessment, calls for blocking sales of networking devices from TP-Link Systems of Irvine, California, which was spun off from a China-based company, TP-Link Technologies, but owns some of that company’s former assets in China. The ban was proposed by the Commerce Department and supported this summer by an interagency process that includes the Departments of Homeland Security, Justice, and Defense, sources said.

“TP-Link vigorously disputes any allegation that its products present national security risks to the United States,” Ricca Silverio, a spokeswoman for TP-Link Systems, said in a statement. “TP-Link is a US company committed to supplying high-quality and secure products to the US market and beyond.”

If imposed, the ban would be among the largest in consumer history and a possible sign that the East-West divide over tech independence is still deepening amid reports of accelerated Chinese government-supported hacking. Only the legislated ban of Chinese-owned TikTok, which President Donald Trump has averted with executive orders and a pending sale, would impact more US consumers. (Joseph Menn / Washington Post)

The Canadian Centre for Cyber Security warned that hacktivists have breached critical infrastructure systems multiple times across the country, allowing them to modify industrial controls that could have led to dangerous conditions.

The authorities issued the warning to raise awareness of the elevated malicious activity targeting internet-exposed Industrial Control Systems (ICS) and the need to adopt stronger security measures to block the attacks.

The alert shares three recent incidents in which so-called hacktivists tampered with critical systems at a water treatment facility, an oil & gas firm, and an agricultural facility, causing disruptions, false alarms, and a risk of dangerous conditions.

"One incident affected a water facility, tampering with water pressure values and resulting in degraded service for its community," describes the bulletin.

"Another involved a Canadian oil and gas company, where an Automated Tank Gauge (ATG) was manipulated, triggering false alarms."

"A third one involved a grain drying silo on a Canadian farm, where temperature and humidity levels were manipulated, resulting in potentially unsafe conditions if not caught on time."

The Canadian authorities believe that these attacks weren't planned and sophisticated, but rather opportunistic, aimed at causing media stir, undermining trust in the country's authorities, and harming its reputation. (Bill Toulas / Bleeping Computer)

Related: Security Affairs, Cyber.gc.ca, DataBreaches.net

The Python Software Foundation (PSF) walked away from a $1.5 million government grant due to the Trump administration's ban on any efforts to level the playing field for diverse and minority participants.

The programming non-profit's deputy executive director, Loren Crary, said that the National Science Foundation (NSF) had offered $1.5 million to address structural vulnerabilities in Python and the Python Package Index (PyPI), but the Foundation quickly became dispirited with the terms of the grant it would have to follow.

"These terms included affirming the statement that we 'do not, and will not during the term of this financial assistance award, operate any programs that advance or promote DEI [diversity, equity, and inclusion], or discriminatory equity ideology in violation of Federal anti-discrimination laws,'" Crary noted. "This restriction would apply not only to the security work directly funded by the grant, but to any and all activity of the PSF as a whole."

To make matters worse, the terms included a provision that if the PSF was found to have violated that anti-DEI diktat, the NSF reserved the right to claw back any previously disbursed funds, Crary explained.

"This would create a situation where money we'd already spent could be taken back, which would be an enormous, open-ended financial risk," the PSF director added.

The PSF's mission statement enshrines a commitment to supporting and growing "a diverse and international community of Python programmers," and the Foundation ultimately decided it wasn't willing to compromise on that position, even for what would have been a solid financial boost for the organization.

"The PSF is a relatively small organization, operating with an annual budget of around $5 million per year, with a staff of just 14," Crary added, noting that the $1.5 million would have been the largest grant the Foundation had ever received - but it wasn't worth it if the conditions were undermining the PSF's mission.

The PSF board voted unanimously to withdraw its grant application. (Brandon Vigliarolo / The Register)

Related: Python Software Foundation, CyberScoop, Techzine, Ars Technica, WebProNews, Bleeping Computer

Security researcher Jose Pino discovered a critical, currently unpatched bug in Chromium's Blink rendering engine that can be abused to crash many Chromium-based browsers within seconds, causing a denial-of-service condition – and, in some tests, freezing the host system.

He created a proof-of-concept exploit, Brash, to demonstrate the vulnerability affecting billions of people worldwide. 

Chrome is the most popular browser in the world with over 70% market share, according to StatCounter, and that's not counting all the people who use any of the open source Chromium-based browsers, including Microsoft Edge, OpenAI's ChatGPT Atlas, Brave, and Vivaldi. Given that the ITU counts 5.5 billion internet users, that suggests Chrome alone is used by more than 3 billion people.

Brash exploits an architectural flaw in Blink, the rendering engine used by Chromium-based browsers. After testing the PoC on 11 major browsers on Android, macOS, Windows, and Linux, Pino found it works on nine of them, causing those browsers to collapse in 15 to 60 seconds. It affects Chromium versions 143.0.7483.0 and later.

"The attack vector originates from the complete absence of rate limiting on document.title API updates," Pino said in research published on GitHub. "This allows injecting millions of DOM mutations per second, and during this injection attempt, it saturates the main thread, disrupting the event loop and causing the interface to collapse."

The flaw is due to the absence of throttling on document.title updates, so it essentially takes advantage of the fact that Blink doesn't limit resource consumption. (Jessica Lyons / The Register)

Related: Brash, GitHub

The United States has yet to sign the controversial UN Cybercrime Convention, stating that it "continues to review" the document.

The decision follows months of warnings from technology groups and civil society organizations that signing onto the treaty could effectively hand authoritarian regimes a new tool to justify surveillance or repression.

"As we engage in treaty-related discussions, we will not sit back and watch China, Russia, and others try to suppress freedom of expression or obtain data in a manner inconsistent with the obligations in the treaty," the US said in a statement. "We will strongly condemn any efforts to misinterpret or seek to misuse the treaty as cover to unlawfully target US citizens and businesses."

Even without US ratification, the treaty could carry implications for Washington. Signatory nations could cite it as a global standard to demand cooperation in prosecutions that undermine free expression and privacy. The agreement also marked a culmination of nearly a decade of Russian and Chinese efforts to replace an existing cybercrime treaty, the Budapest Convention, with a "digital sovereignty" model that legitimizes domestic surveillance under the banner of national security.

UN Secretary-General António Guterres described the convention as a "powerful, legally-binding instrument to strengthen our collective defenses against cybercrime" during a speech at the signing ceremony. (Chris Riotta / GovInfoSecurity)

Related: Hanoi Convention, SC World, UN WebTV

SK Telecom Co., South Korea's leading mobile carrier, said its third-quarter earnings swung to a net deficit from a year earlier due mainly to massive compensation costs following a data breach that affected its entire 25 million-user base.

It posted a net loss of 166.7 billion won (US$117.1 million) for the July-September period, compared with a profit of 280.2 billion won a year earlier, the company said in a regulatory filing.

The loss was 33.3 percent higher than the average estimate, according to a survey by Yonhap Infomax, the financial data firm of Yonhap News Agency. Operating profit plunged 90.9 percent on-year to 48.4 billion won from 533.3 billion won. Its sales fell 12.2 percent to 3.97 trillion won.

SK Telecom attributed the net loss to a 500 billion-won customer compensation program that included mobile rate cuts, additional data offers, and discount coupons starting in August.

In April, the company reported a large-scale cyberattack on its main servers, during which universal subscriber identity module (USIM) data was potentially compromised.

In response, it offered to replace the USIM chips of all 25 million users while suspending new subscription services for two months. (Yonhap News Agency)

Related: KoreaJoongAng Daily, The Chosun, Maeil Business Newspaper, Tech in Asia

Researchers at Socket report that ten malicious packages mimicking legitimate software projects in the npm registry download an information-stealing component that collects sensitive data from Windows, Linux, and macOS systems.

The packages were uploaded to npm on July 4 and remained undetected for an extended period due to multiple layers of obfuscation that helped escape standard static analysis mechanisms.

The ten packages counted nearly 10,000 downloads and stole credentials from system keyrings, browsers, and authentication services.

Socket researchers say that the packages use a fake CAPTCHA challenge to appear legitimate and download a 24MB infostealer packaged with PyInstaller. To lure users, the threat actor used typosquatting, a tactic that leverages misspellings or variations of the legitimate names for TypeScript (typed superset of JavaScript), discord.js (Discord bot library), ethers.js (Ethereum JS library), nodemon (auto-restarts Node apps), react-router-dom (React browser router), and zustand (minimal React state manager).

When searching for the legitimate packages on the npm platform, developers may mistype the name of the legitimate package or pick a malicious one listed in the results.

At the time of writing, the packages are still available, despite Socket reporting them to npm. Developers who downloaded any of the listed packages are recommended to clean up the infection and rotate all access tokens and passwords, as there is a good chance that they are compromised. (Bill Toulas / Bleeping Computer)

Related: Socket, SC Media

Wordfence reports that the Anti-Malware Security and Brute-Force Firewall plugin for WordPress, installed on over 100,000 sites, has a vulnerability that allows subscribers to read any file on the server, potentially exposing private information.

The plugin provides malware scanning and protection against brute-force attacks, exploitation of known plugin flaws, and database injection attempts.

Identified as CVE-2025-11705, the vulnerability was reported to Wordfence by researcher Dmitrii Ignatyev and affects versions of the plugin 4.23.81 and earlier.

The issue stems from missing capability checks in the GOTMLS_ajax_scan() function, which processes AJAX requests using a nonce that attackers could obtain.

This oversight allows a low-privileged user, who can invoke the function, to read arbitrary files on the server, including sensitive data such as the wp-config.php configuration file that stores the database name and credentials.

On October 15, the developer released version 4.23.83 of the plugin that addresses CVE-2025-11705 by adding a proper user capability check via a new ‘GOTMLS_kill_invalid_user()’ function.

According to WordPress.org stats, roughly 50,000 website administrators have downloaded the latest version since its release, indicating that an equal number of sites are running a vulnerable version of the plugin. (Bill Toulas / Bleeping Computer)

Related: Wordfence

Researchers at Zimperium report that they have tracked a fast-growing cybersecurity threat targeting Android users through their tap-to-pay systems via malicious apps that use Android’s Near Field Communication (NFC) and Host Card Emulation (HCE) features to steal payment data, turning infected phones into tools for payment fraud.

Their findings show that this method of attack is spreading fast as cybercriminals look for new ways to exploit mobile payments.

The malicious apps pretend to be official banking or government applications, copying the look and feel of trusted brands such as Google Pay, VTB Bank, Santander, and the Russian State Services Portal (Gosuslugi).

Once installed, these fake apps prompt users to set them as their default payment method. However, in reality, they activate NFC relay functionality that forwards card data to remote servers controlled by attackers, allowing them to perform fraudulent transactions almost instantly.

According to Zimperium, the operation involves more than 70 command-and-control servers and numerous Telegram bots coordinating the scam and resale of financial data.

The malware communicates using structured commands, where one infected device collects payment data and another device uses it to complete transactions at a physical terminal. The entire exchange happens through live relay, letting attackers spoof legitimate NFC payments without physical access to the victim’s card. (Waqas / HackRead)

Related: Zimperium

LinkedIn announced changes to its data use terms a month ago, noting that as of November 3, it would start sucking up data from "members in the EU, EEA, Switzerland, Canada, and Hong Kong" to train AI models, leaving users only a few days left to opt out of this privacy violation.

"Starting November 3, 2025, we will share additional data about members … with our Affiliate Microsoft so that the Microsoft family of companies can show you more personalized and relevant ads," LinkedIn explained. "This data may include your LinkedIn profile data, feed activity data, and ad engagement data."

For users in the UK, EU, EEA, Switzerland, Canada, and Hong Kong, both of these opt-outs will be new. For users in the rest of the world (including the US), your data has already been scraped by LinkedIn to train AI for some time – affiliate (i.e., Microsoft) advertising via this data is new, but the opt-out steps for both are the same regardless of where you connect to the social network.

Users can opt out with the toggle for AI training found under the Settings > Data Privacy category. Advertising preferences are located in the Advertising Data category in Settings, with three particular items under the Off LinkedIn Data header affecting whether LinkedIn profile and post data can be shared with Microsoft for serving ads. (Brandon Vigliarolo / The Register)

Related: Bitdefender, TechRadar, South China Morning Post

After a months-long leadership vacuum amid intense scrutiny from one of President Donald Trump’s most vocal far-right supporters, the National Security Agency is readying several senior personnel moves meant to reinvigorate the organization, with sources saying Army Lt. Gen. Paul Stanton, the leader of Cyber Command’s network defense arm, and Air Force Lt. Gen. Thomas Hensley, the head of his service’s information warfare command, considered to be front-runners for the job,

The foreign electronic eavesdropping agency has lacked a permanent chief for nearly seven months and experienced a stream of high-level departures, as well as pressure from the administration to pare down its workforce.

Stanton already serves in a “dual-hat” role as head of the Defense Information Systems Agency (DISA) and the Cyber Defense Command, a renamed, newly elevated organization responsible for protecting the Pentagon’s networks globally.

Stanton previously helmed the Army’s Cyber Center of Excellence and holds three degrees in computer science, including a doctorate from Johns Hopkins University.

Hensley has served mainly in intelligence roles, including as the deputy director of operations for combat support at NSA, before assuming command of the 16th Air Force and Air Forces Cyber last year. (Martin Matishak / The Record)

Private equity firm Francisco Partners agreed to purchase Jamf for $2.2 billion just three months after the Apple management and security vendor laid off 6.4% of its workforce.

The Minneapolis-based company said the $13.05-per-share offer will provide Jamf with greater financial flexibility to accelerate growth and expand through innovation and M&A. Francisco Partners' offer represents a 50% premium to Jamf's average share price for the 90 days before Sept. 11, which was the last day before Reuters said Jamf was exploring a sale. (Michael Novinson / BankInfoSecurity)

Related: Business Wire, Private Equity Insights, Apple Must, Biz Journals, TipRanks

Best Thing of the Day (?): If College Doesn't Work Out, There Are Bug Bounties

Bug bounties keep rising, making it possible for more young people, including those who are seemingly challenged by traditional academic settings, to make big bucks.

Worst Thing of the Day: Kavanaugh Stops Now, Aided by Facial Recognition

ICE and Customs and Border Protection (CBP) are actively using smartphone facial recognition technology in stops that seem to have little justification beyond the color of someone’s skin.

Closing Thought