Cyber Briefing: 2025.06.27

Open VSX flaw risks supply chain attack, nOAuth enables SaaS takeovers, printers vulnerable to default password flaw. Airlines, insurers, and courts hit; IntelBroker charged for global data breaches.

Jun 27, 2025

👉 What are the latest cybersecurity alerts, incidents, and news?

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please Subscribe

Get Help

🚨 Cyber Alerts

1. Open VSX Flaw Allowed Extension Hijacks

A critical vulnerability in the Open VSX Registry, an open-source marketplace for Visual Studio Code extensions, could have allowed attackers to take full control of the platform. Discovered by a security researcher, the flaw was in an automated GitHub Actions workflow that exposed a privileged access token to the build scripts of all published extensions. A malicious actor could have exploited this to steal the token and then publish malicious updates to every extension in the marketplace, creating a massive supply chain attack. Following a responsible disclosure, the vulnerability was fully patched by the project's maintainers on June 25, 2025, closing the severe security hole.

2. nOAuth Flaw Allows Easy Account Takeover

A critical vulnerability dubbed "nOAuth" has emerged as a severe threat to applications using Microsoft's Entra ID for authentication. The flaw allows attackers to take over user accounts by creating an account in their own system with the same email address as their victim. Security firm Semperis recently found that approximately 9% of enterprise SaaS applications they tested were still vulnerable to this abuse. This attack method is particularly dangerous because it bypasses security controls like multi-factor authentication, as the login appears legitimate to the vulnerable application.

3. Unpatchable Flaw In Hundreds Of Printers

A critical vulnerability has been discovered in nearly 700 printer models from Brother and dozens more from other brands like Fujifilm and Toshiba. The flaw allows a remote attacker to easily regenerate the device's default administrator password using its serial number, granting them full control. According to security firm Rapid7, this vulnerability cannot be fixed with a firmware update on existing devices because it is rooted in the manufacturing process. Owners of the affected printer models are being urged to immediately change the default admin password to mitigate the risk of a takeover.

For more alerts, click here!

Check Jobs

💥 Cyber Incidents

4. Hawaiian Airlines Hit By Cyberattack

Hawaiian Airlines is investigating a cyberattack that has disrupted some of its internal IT systems, though the company confirms flight safety and schedules are unaffected. The tenth-largest U.S. airline announced the security incident on Thursday morning and has engaged law enforcement and external cybersecurity experts to investigate. While the nature of the attack has not been disclosed and no group has claimed responsibility, both the airline and the FAA are monitoring the situation. This event follows a similar cyberattack that disrupted online services for Canada's second-largest airline, WestJet, earlier this month.

5. Qilin Ransomware Gang Hacks Estes Freight

Freight company Estes Forwarding Worldwide confirmed it suffered a cyberattack on May 28 and has begun notifying victims. The ransomware gang Qilin has taken credit for the attack, posting samples of allegedly stolen data including passports and driver's licenses. The company's CEO stated that due to robust security protocols, there was no significant disruption to business operations. This is the second major ransomware incident to hit the Estes family of companies, following a 2023 attack on its parent company, Estes Express Lines.

6. Generali Customer Data Exposed In Hack

Insurer Generali Tranquilidade has confirmed it was the target of a cyberattack last Friday, June 20, that resulted in a customer data breach. According to the company, the attackers gained unauthorized access to identification and contact information like names, tax numbers, and dates of birth. The company has assured customers that no financial data, health information, or account passwords were compromised in the incident. While stating no customer action is needed, the insurer is warning impacted clients to be cautious of potential phishing campaigns using their stolen data.

For more incidents, click here!

Click to Read

📢 Cyber News

7. NSA Veteran Takes Key US Cyber Command Role

Patrick Ware, a 34-year veteran of the National Security Agency, has been named the new executive director and top civilian leader at U.S. Cyber Command. He replaces Morgan Adamski in the command's number three spot, which is traditionally held by an NSA official. Ware joins the organization at a critical time, as it has been without a permanent chief for nearly three months and a planned "Cyber Command 2.0" revamp is stalled. In his new role, Ware will help steer strategic initiatives to advance the command's capabilities, talent management, and partnerships amid this leadership uncertainty.

8. Judge Warns Of PACER System Cyber Risk

A federal judge has warned U.S. lawmakers that the nation's court system is under constant attack by sophisticated hackers, with 200 million harmful events blocked in the last fiscal year alone. Testifying before the House Judiciary Committee, Judge Michael Scudder stated that the Public Access to Court Electronic Records (PACER) system is "unsustainable due to cyber risks." The Justice Department is now requesting $74 million in the fiscal year 2026 budget to overhaul the vulnerable platform, which holds sensitive data including sealed indictments and national security information.

9. US Charges Notorious Hacker IntelBroker

A 25-year-old British national named Kai West, alleged to be the notorious hacker "IntelBroker," has been charged by the U.S. for a years-long cybercrime spree. The indictment accuses him of stealing and selling sensitive data from dozens of victims, including government agencies and major corporations like Europol and General Electric, causing an estimated $25 million in damages. The FBI was able to identify West after an undercover agent purchased stolen data from him, then traced the Bitcoin payment back to an account registered with West's driver's license.

For more news, click here!

Check Events

📈Cyber Stocks

On Friday, June 27, 2025, cybersecurity stocks reflected the following:

Okta (OKTA) closed at $98.13, down slightly as investor sentiment remained cautious due to lackluster full-year guidance, despite consistent demand for its identity-access solutions.
Varonis (VRNS) rose to $50.93, driven by positive market response to newly launched AI-powered data security features and its completed transition to a SaaS-first model.
CrowdStrike (CRWD) surged to $505.22, propelled by bullish analyst outlooks and anticipation around its Fal.Con conference featuring key AI and endpoint security announcements.
Palo Alto Networks (PANW) dipped to $202.34, with the decline attributed to profit-taking after a recent rally fueled by expectations of new federal cybersecurity contracts and pre-Ignite ’25 excitement.
Qualys (QLYS) edged up to $141.78, supported by renewed investor interest in vulnerability management as consolidation heats up in the cybersecurity space and compliance budgets expand.

💡 Cyber Tip

Be Cautious as Critical Printer Flaw Enables Remote Takeover

A critical flaw affects nearly 700 different Brother printer models, along with several from brands like Fujifilm and Toshiba. The vulnerability allows attackers to recreate the default admin password using just the printer’s serial number. Because the flaw is built into how passwords are generated during manufacturing, it can’t be fixed with a software update. If exploited, attackers can gain full control of the printer, access stored documents, and potentially move through the connected network.

✅ What you should do:

Immediately change the default admin password on any affected printer model, even if it's not internet-facing.
Restrict network access to printers using firewalls or VLANs to prevent unauthorized remote access.
Disable unnecessary services like remote admin or cloud printing features if not actively used.
Monitor printer logs and network activity for suspicious connections or configuration changes.
Review manufacturer advisories and stay updated in case future mitigations are offered.

🔒 Why this matters:

This vulnerability can’t be patched on existing devices, making proactive defense the only line of protection. Attackers who gain access to a printer can use it as a launch point to infiltrate broader IT environments, steal data, or disrupt operations. Taking action now is critical to minimizing risk.