Trump officials might boycott RSAC citing Easterly's CEO position

Support independent media - upgrade your Metacurity subscription today.

Metacurity is one of the few independent media outlets delivering a daily round-up of the critical infosec developments you should know. For years, we have worked to scan thousands of sources to deliver you summarized and aggregated news to help you keep your organizations secure.

We value all of our readers, but the paid subscribers help us keep plugging away at our mission of ending infosec news overload. Please, please help keep Metacurity alive with a paid subscription. Thank you!

If you can't afford a paid subscription right now, please consider donating whatever you can. Thanks.

Top Trump administration cyber officials are in discussions to cancel their attendance at the RSAC Conference taking place in San Francisco in March after top Biden-era cyber leader and former CISA Director Jen Easterly was named CEO of the event, according to multiple former officials and other people with knowledge of the matter.

Officials in the White House Office of the National Cyber Director, National Security Council, and Cybersecurity and Infrastructure Security Agency discussed potential plans to no longer attend afterEasterly was named CEO of the RSAC Conference.

Easterly became a target of Trump ally and far-right activist Laura Loomer last year when she flagged Easterly’s plans to return to West Point as the new Robert F. McDermott Distinguished Chair in its Department of Social Sciences.

Loomer said at the time that Easterly “brought in” Nina Jankowicz, a former DHS official who ran the now‑shuttered Disinformation Governance Board, casting her as part of a network of officials she accused of working against President Donald Trump. Army Secretary Dan Driscoll said soon after that Easterly’s offer was rescinded and that he would be pausing outside groups from selecting academy employees and instructors. (David DiMolfetta / NextGov/FCW)

Related: CNN, Security Week, Axios, Wired, PR Newswire, WebProNews, The Cyber Express

Food delivery platform Grubhub has confirmed a recent data breach after hackers accessed its systems, with sources saying the company is now facing extortion demands from the ShinyHunters cybercrime group.

"We're aware of unauthorized individuals who recently downloaded data from certain Grubhub systems," Grubhub said.

"We quickly investigated, stopped the activity, and are taking steps to increase our security posture further. Sensitive information, such as financial information or order history, was not affected."

Grubhub would not respond to any further questions regarding the breach, including when it occurred, whether customer data was involved, or if they were being extorted.

However, the company confirmed that it is working with a third-party cybersecurity firm and has notified law enforcement.

According to sources, the threat actors are demanding a Bitcoin payment to prevent the release of older Salesforce data from a February 2025 breach and newer Zendesk data that was stolen in the recent breach.

Grubhub uses Zendesk to power its online support chat system, which provides support for orders, account issues, and billing. (Lawrence Abrams / Bleeping Computer)

Related: Teiss

Researchers at Cisco Talos report that Chinese hackers successfully breached multiple critical infrastructure organizations in North America over the last year using a combination of compromised credentials and exploitable servers.

 They documented a campaign starting last year where Chinese government-backed hacking groups were tasked with obtaining initial access to “high-value” organizations. Cisco Talos refers to the group as “UAT-8837.”

After getting access, the threat actors used a variety of tools to steal credentials, security configurations, and other information to enable broader access to victim organizations. 

While the group has used multiple vulnerabilities to gain access, Cisco Talos tracked several intrusions involving the exploitation of CVE-2025-53690 — a bug affecting products from software company SiteCore.

Federal cybersecurity officials spotlighted the zero-day vulnerability in the Fall, and all federal civilian agencies were ordered to patch the bug by September 25. At the time, Google published its own examination of an incident involving the bug and mentioned at least four of the same post-exploitation tools that Cisco Talos highlighted. 

Cisco Talos said the group’s targeting of the bug indicates the Chinese group “may have access to zero-day exploits.”

One of the tools used by the hacking group, called Earthworm, allows threat actors to expose internal endpoints to attacker-owned remote infrastructure. Cisco Talos said Earthworm has been used extensively by Chinese-speaking threat actors during intrusions in order to determine which internal endpoints are undetectable by endpoint protection products.

“The undetected version is then used to create a reverse tunnel to attacker-controlled servers,” they explained. (Jonathan Grieg / The Record)

Related: Cisco Talos, Cyber Press

According to researchers at Patchstack, hackers are actively exploiting a maximum severity flaw in the Modular DS WordPress plugin that allows them to bypass authentication remotely and access the vulnerable sites with admin-level privileges.

The flaw, tracked as CVE-2026-23550, affects versions 2.5.1 and older of Modular DS, a management plugin that allows managing multiple WordPress sites from a single interface.

The plugin lets owners, developers, or hosting providers remotely monitor sites, perform updates, manage users, access server information, run maintenance tasks, and log in. Modular DS has more than 40,000 installations.

According to Patchstack researchers, CVE-2026-23550 is currently exploited in the wild, the first attacks being detected on January 13, around 02:00 UTC.

Patchstack confirmed the flaw and reached out to the vendor on the following day. Modular DS released a fix in version 2.5.2, only a few hours later.

The vulnerability is caused by a series of design and implementation flaws, including accepting requests as trusted when “direct request” mode is activated, without a cryptographic check of their origin. This behavior exposes multiple sensitive routes and activates an automatic admin login fallback mechanism.

If no specific user ID is provided in the request body, the plugin fetches an existing admin or super admin user, then logs in as that user automatically. (Bill Toulas / Bleeping Computer)

Related: Patchstack, Modular, Security Affairs

Computer scientists affiliated with the CISPA Helmholtz Center for Information Security in Germany have found a vulnerability in AMD CPUs that exposes secrets in its secure virtualization environment.

The flaw, dubbed StackWarp, potentially allows a malicious insider who controls a host server to access sensitive data within AMD SEV-SNP guests through attacks designed to recover cryptographic private keys, bypass OpenSSH password authentication, and escalate privileges.

AMD was informed about the vulnerability (CVE-2025-29943), made patches available in July 2025, and has now published a security bulletin designating the issue as low severity.

StackWarp demonstrates yet again that it's difficult to guarantee that virtual computing resources remain isolated from one another on common hardware. It exploits a flaw in the microarchitecture designed to accelerate stack operations.

"The vulnerability can be exploited via a previously undocumented control bit on the hypervisor side," said CISPA researcher Ruiyi Zhang in a statement provided to The Register. "An attacker running a hyperthread in parallel with the target VM can use this to manipulate the position of the stack pointer inside the protected VM."

The attack scenario applies to AMD SEV-SNP [PDF], a successor to AMD Secure Encrypted Virtualization (SEV) and SEV-ES (Encrypted State), when Simultaneous Multithreading (SMT) has been enabled. (Thomas Claburn / The Register)

Related: AMD, CISPA

Google announced extensive “personal intelligence” in Gemini that allows the chatbot to connect to Gmail, Photos, Search, and YouTube to craft more useful answers to user questions.

As Personal Intelligence rolls out over the coming weeks, AI Pro and AI Ultra subscribers will see the option to connect those data sources. Each can be connected individually, so you might choose to allow Gmail access but block Photos, for example. When Gemini is permitted access to other Google products, it incorporates that data into its responses. (Ryan Whitman / Ars Technica)

Related: Google, Forbes, ZDNet

Researchers at The Wiz report that a critical vulnerability in the AWS Console could have led to a massive supply chain attack.

The vulnerability, dubbed CodeBreach, could have allowed an attacker to take over core AWS GitHub repositories — specifically the AWS JavaScript SDK — which powers the AWS Console and is installed in about two-thirds of cloud environments, according to Wiz.

Wiz researchers disclosed the flaw to AWS in August 2025, and the company immediately worked to remediate the issue. Specific hardening measures were taken to prevent such an attack, including the implementation of a Pull Request Comment Approval build gate, which provides organizations a secure way to prevent untrusted builds, according to Wiz. (David Jones / Cybersecurity Dive)

Related: Wiz, Techzine, CSO Online

Eurail confirmed customer information was stolen in a data breach, according to notification emails sent out this week.

The European travel company, also known as Interrail to EU residents, initially posted the news on January 10, but affected customers, the number of whom was not disclosed, began receiving emails on January 13.

Customers who purchased a travel pass directly from Eurail/Interrail did not have a visual copy of their passports stored on company systems.

However, the same is not true for those who received a pass through the DiscoverEU program, an Erasmus-funded initiative that invites travelers to explore the EU by rail.

The European Commission published a separate notice about the Eurail breach, saying that in addition to the data specified in the company's email, DiscoverEU travelers may also have photocopies of their IDs, bank account reference numbers, and health data compromised.

"To our knowledge, there is currently no evidence that the data has been misused or publicly disclosed," it stated. "Eurail reassured the Commission that external cybersecurity specialists are consistently monitoring this. (Connor Jones / The Register)

Related: Eurail, SC Media UK, r/Interrail

The head of Korea's Fair Trade Commission (FTC) reiterates warnings of a possible business suspension for Coupang over its massive data breach.

Under the nation’s E-Commerce Act, the financial authority may impose penalties on Coupang unless the company takes sufficient remedial measures to compensate customers. A joint investigation team led by the Ministry of Science and ICT is looking into the breach, which involved some 33.7 million users and their data.

Earlier this week, FTC Chairman Ju Biung-ghi reiterated that Coupang’s business operations could be suspended if it does not abide by the upcoming FTC order.

Experts say the authority may push ahead with the suspension in a show of regulatory resolve against companies engaging in unlawful and unfair business practices.

Separately, South Korean e-commerce giant Coupang Inc. began distributing up to 50,000 won ($34) in purchase vouchers to customers affected by a recent data breach on Thursday, even as it continues to face complaints over limits on how the compensation can be used.

Coupang started sequentially issuing 50,000 won worth of purchase vouchers to 33.7 million customers who received notifications of the data breach.

Customers are asked to log into the Coupang app to check their eligibility, after which the vouchers are issued. Coupang plans to send text messages and emails with instructions on how to use them.

The compensation consists of four types of vouchers: 5,000 won for all Coupang products, 20,000 won for Coupang Travel accommodations and tickets, 20,000 won for R.LUX beauty and fashion products, and 5,000 won for Coupang Eats delivery and shopping.

The vouchers are also provided to customers who have already withdrawn their membership.

After Coupang announced the compensation plan on December 29, it faced criticism that the vouchers were effectively marketing coupons. Critics pointed out that R.LUX focuses on higher-priced beauty and fashion items and that Coupang Travel mainly offers expensive products. (Lee Min-hyung / Korea Times and Park Yun-gyun and Han Yubin / Pulse)

Related: Pulse, Chosun Biz, The Korea Times

The Anchorage Police Department in Alaska said it took a range of actions to address a recent cyberattack on one of its technology service providers.

A police department spokesperson said that the incident relates to a cyberattack involving data migration firm Whitebox Technologies, which alerted the police department of a security incident on January 7. The company did not respond to requests for comment.

The city’s IT department “shut down the relevant APD servers and disabled the vendor and all third-party service provider access.” Anchorage is Alaska’s largest city and is home to about 300,000 people.

“Additionally, ITD oversaw the deletion and removal of all remaining APD data from the third-party service provider servers,” the statement said. “APD initiated continued oversight of its systems and will continue to closely monitor for any unusual activity.”

The police department said there “is no evidence indicating that APD systems have been compromised or that the threat actor has acquired any APD data.”

But officials will monitor systems and implement “protective measures” to safeguard information. A spokesperson pledged that the police department will notify anyone potentially impacted by the incident. (Jonathan Greig / The Record)

Related: Anchorage Police Department, Anchorage Daily News, The Cyber Express

Researchers at Group-IB are warning that a recently identified ransomware strain is using Polygon smart contracts in an unusual way that could make its infrastructure harder to disrupt.

They say the ransomware, known as DeadLock, is abusing publicly readable smart contracts on the Polygon (POL) network to store and rotate proxy server addresses used to communicate with infected victims.

DeadLock was first observed in July 2025 and has remained relatively low profile since then. Group-IB said the operation has a limited number of confirmed victims and is not linked to any known ransomware affiliate programs or public data leak sites.

Despite its low visibility, the firm warned that the techniques being used are highly inventive and could pose serious risks if copied by more established groups. (Leon Okwatch / crypto.news)

Related: Group-IB, SC Media, Bank Info Security, Decrypt, Infosecurity Magazine, The Register

According to Expel researchers, the Gootloader malware, typically used for initial access, is now using a malformed ZIP archive designed to evade detection by concatenating up to 1,000 archives.

In doing so, the malware, which is an archived JScript file, causes many tools to crash when trying to analyze it.

The malicious file is successfully unpacked using the default utility in Windows, but tools relying on 7-Zip and WinRAR fail.

To achieve this, the threat actor behind the malware concatenates between 500 and 1,000 ZIP archives, but also uses other tricks to make parsing from analysis tools more difficult.

The Gootloader malware loader has been active since 2020 and is used by various cybercriminal operations, including ransomware deployments. (Bill Toulas / Bleeping Computer)

Related: Expel

Cisco patched a maximum-severity Cisco AsyncOS zero-day exploited in attacks against Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances since November 2025.

As Cisco explained in December, when it disclosed the vulnerability (CVE-2025-20393), it affects only Cisco SEG and Cisco SEWM appliances with non-standard configurations when the Spam Quarantine feature is enabled and exposed on the Internet.

"Cisco Secure Email Gateway, Secure Email, AsyncOS Software, and Web Manager appliances contains an improper input validation vulnerability that allows threat actors to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance," Cisco said.

Detailed instructions for upgrading vulnerable appliances to a fixed software version are available in a security advisory. (Sergiu Gatlan / Bleeping Computer)

Related: Cisco Talos, WebProNews, The Register, Security Week

In a confirmation hearing with lawmakers, Army Lt. Gen. Joshua Rudd, Donald Trump’s nominee for top uniformed cyber chief, said he would evaluate the efficiency of the dual-hat leadership role between US Cyber Command and the National Security Agency if he’s confirmed to the job, touching on one of the community’s most heated policy debates.

Rudd, who is currently the deputy commander of US Indo-Pacific, was asked by multiple Senate Armed Services Committee members about the two organizations he may inherit and what he thought about their current leadership structure.

Rudd said that throughout his career — which is primarily based in special operations — he’s seen a “demonstration of effectiveness, as well as efficiency” under the dual-hat role held by the Cybercom commander and NSA director.

He added that “the ability for that individual to continue to harness and integrate the incredible capabilities of both those organizations I think is a component that enables” both agencies “to provide great support to our warfighters.”

However, he left the door open for change.

“If I’m confirmed for this, I think my role is to be objective about that as that comes up, or if it continues to come up as a topic,” Rudd said. (Drew F. Lawrence / DefenseScoop)

Related: C-SPAN, The Record, NextGov/FCW, Meritalk

Comparitech reported that in 2025, there were 7,419 ransomware attacks worldwide, representing a 32% increase over the 5,631 attacks recorded in 2024.

Of the 7,419 attacks noted in 2025, 1,173 were confirmed by the targeted organizations. Ransomware groups claimed the remaining incidents on their data leak sites, but have not been publicly acknowledged by the affected organizations. 

Manufacturing was the hardest-hit sector throughout 2025, while attacks on healthcare and education providers appeared to plateau last year, with very similar year-on-year figures. (Anna Ribeiro / Industrial Cyber)

Related: Comparitech, Plant Services

Iran’s crackdown on dissidents is shaping up as one of the toughest security tests yet for Elon Musk’s Starlink, which has served as a lifeline against state-imposed internet blackouts since its deployment during the war in Ukraine.

How SpaceX withstands Iranian attacks on its most lucrative line of business is expected to be closely watched by US military forces and intelligence agencies that use Starlink and its military-grade variant Starshield, as well as China, whose own nascent satellite internet constellations are set to rival Starlink in the coming years.

Starlink is banned in Iran, yet tens of thousands of terminals may have been smuggled into the country. However, it remains unclear how many are in use, according to Holistic Resilience. This US nonprofit has helped deliver Starlink terminals to Iranians and says it is working with SpaceX to monitor what it describes as Iranian attempts to jam the system.

Iran is likely using satellite jammers to disrupt the Starlink signals, according to Holistic Resilience and other specialists. Iran also appears to be engaging in so-called spoofing, or broadcasting fake GPS signals to confuse and disable Starlink terminals, according to Nariman Gharib, an Iranian opposition activist and independent cyber espionage investigator based in Britain.

The GPS spoofing wreaks havoc on a Starlink terminal's connection and slows internet speeds, said Gharib, who analyzed data from a terminal inside Iran.
"You might be able to send text messages, but forget about video calls," he said. (Joey Roulette and Cassell Bryan-Low / Reuters)

Related: Rest of World

Best Thing of the Day: When the Check Is Bigger Than You Expected

Current and former Rhode Island state employees have begun receiving payments from a settlement over a 2021 data breach involving RIPTA and UnitedHealthcare, and are receiving on average $400 per claimant, more than they expected.

Bonus Best Thing of the Day: All Governments Should Do This

The Australian Signals Directorate is warning businesses about uploading files to AI chatbots or genAI platforms.

Worst Thing of the Day: The World Is Repulsed by X

Japan joined the growing list of countries probing X over Elon Musk’s artificial intelligence service Grok and the chatbot’s role in creating and spreading sexualized images of people without their consent.

Bonus Worst Thing of the Day: X Lies About Stopping Sexualized Videos

X has continued to allow users to post highly sexualized videos of women in bikinis generated by its AI tool Grok, despite the company’s claim to have cracked down on misuse.

Closing Thought