Weekly One-Shot: June 1 - June 7, 2025

This week's threats and trends.

Author

J.W. Croley
June 07, 2025

In partnership with

Before we dive in, I would like to thank all of you for supporting us with your subscription! My goal is to bring both actionable insights and easy-to-digest information regarding cybersecurity threats to non-tech and technical professionals alike. If this sounds like something that would help someone you know, please share the newsletter!

Global payroll complexity? Here’s the playbook.

Managing global payroll shouldn’t mean juggling vendors and compliance risks. Deel, recognized in the Gartner® Market Guide for Multicountry Payroll Solutions, helps finance teams automate payments, standardize reporting, and stay compliant in 100+ countries. Get key insights from industry experts to future-proof your payroll strategy.

This week’s threat landscape felt like a zero-day buffet, with Chrome and Cisco flaws ready for the picking, state-sponsored phishing with Evilginx, and a coordinated hit on the DevOps world. You're not alone if your IR team hasn’t had rest in days.

But we’ve sorted the noise from the signal. You’ve got breaches, browser bugs, and blunders by browser plugins—plus a few fashion brands who still don’t believe in basic security. Let’s break it all down.

Caffeinate. Patch. Breathe. Then scroll on.

This week in Cybersecurity

  1. Popular Chrome Extensions Leak API Keys, User Data via HTTP and Hardcoded Credentials
    Careless coding in major extensions like SEMRush Rank and Browsec VPN exposed sensitive user data over plain HTTP—plus hardcoded tokens ripe for abuse.
    Newsletter: June 3, 2025

  2. Cisco Patches Critical Flaws in ISE and CCP Products—with Exploits Already in the Wild
    Static cloud credentials and arbitrary file upload bugs (CVE-2025-20286, et al.) make Cisco customers vulnerable to cross-deployment compromise.
    Newsletter: June 3, 2025

  3. Iran-Linked BladedFeline Group Targets Kurdish and Iraqi Officials with Custom Malware
    BladedFeline (likely linked to OilRig) is back with backdoors like Whisper and Spearal to spy on Middle Eastern government systems.
    Newsletter: June 3, 2025

  4. Russian Hackers Use Evilginx to Breach 20+ NGOs with Fake Microsoft Entra Pages
    Void Blizzard's latest phishing campaign used PDF QR codes and Evilginx proxies to swipe session tokens from NGO targets.
    Newsletter: June 5, 2025

  5. Cryptojacking Campaign Hits DevOps APIs Using Tools Pulled from GitHub
    Attackers deployed miners on exposed Docker, Gitea, and HashiCorp Nomad servers, burning thousands in CPU credits.
    Newsletter: June 5, 2025

  6. 78 Microsoft Vulnerabilities Found, Including Critical Flaws in Windows, Office, and Azure
    June’s patch dump covers remote code execution, privilege escalation, and Azure misconfigurations—CVE-2025-29959 among the worst.
    Newsletter: June 3, 2025

  7. Linux Core Dump Bugs Let Local Attackers Steal Password Hashes (CVE-2025-5054)
    Apport and systemd-coredump race conditions allow /etc/shadow data theft via core dumps on Ubuntu and RHEL.
    Newsletter: June 5, 2025

  8. The North Face Suffers Another Credential Stuffing Attack—Fourth Since 2020
    Names, emails, phone numbers, and purchase histories were exposed—again. Still no MFA by default for customers.
    Newsletter: June 5, 2025

  9. Cartier Discloses Breach in Ongoing Campaign Targeting Fashion Retailers
    Minimal data stolen (names, emails, countries), but the real story is that high-end brands are being hit in a coordinated wave.
    Newsletter: June 5, 2025

  10. HMRC Breach: 100,000 UK Taxpayer Accounts Compromised via Phishing
    No direct theft, but over £47 million was falsely claimed using hijacked self-assessment accounts.
    Newsletter: June 3, 2025

Biggest Threat This Week

New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch
Newsletter: June 5, 2025

Google dropped an emergency fix for CVE-2025-5419, an actively exploited flaw in Chrome’s V8 JavaScript engine. It’s a classic out-of-bounds read/write issue that can allow remote attackers to hijack your session or execute arbitrary code with the help of a malicious HTML file. What makes this scarier? The attackers were already using it in the wild before the patch landed.

Risk Level: Critical
Tactics: Initial Access, Execution

Action Steps:

  • Patch Chrome immediately—version 137.0.7151.68/.69

  • Force browser updates org-wide (including Edge, Brave, etc.)

  • Monitor for weird post-exploit behavior

  • Turn on browser isolation for high-risk users

Training Recommendation

“Browser Security in the Age of Evilginx and Malicious Extensions”
This week’s attacks underscore how browsers—once just gateways to the internet—are now prime real estate for adversaries. Recommend your team take a focused training session on:

  • Understanding modern phishing kits like Evilginx

  • Recognizing API abuse and extension overreach

  • Hardening browsers in enterprise environments (extension whitelisting, browser isolation, forced patching)

SANS offers short modules on browser hardening and phishing-resistant MFA, or you can roll your own micro-training using real IOCs from this week’s Evilginx campaign.

Wrapping Up:

From Chrome zero-days and credential leaks to cloud-targeted cryptojacking and espionage-grade phishing, this week proved that even your browser extensions can be a backdoor. If it connects to the internet, assume it’s hostile. Patch fast, monitor smarter, and keep one eye on the logs—and the other on your extensions.

(P.S. Supporting our partners helps keep this newsletter running!)

Start learning AI in 2025

Keeping up with AI is hard – we get it!

That’s why over 1M professionals read Superhuman AI to stay ahead.

  • Get daily AI news, tools, and tutorials

  • Learn new AI skills you can use at work in 3 mins a day

  • Become 10X more productive