Cyber Briefing: 2025.11.11

NuGet payloads delay sabotage, Triofox flaw exploited, GlassWorm hits VS Code, China cyber tools leaked, schools hacked, Italy spyware, hacker guilty, AI leaks secrets, Australia sanctions DPRK.

Nov 11, 2025

👉 What’s the latest in the cyber world today?

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please Subscribe

Get Help

🚨 Cyber Alerts

1. Delayed Payloads Hit Nuget Packages

Nine malicious NuGet packages, published by “shanhai666,” were found to contain time-delayed payloads that target and sabotage major SQL databases and industrial control systems (PLCs). The packages, which were downloaded nearly 9,500 times, feature staggered activation dates, with some scheduled to trigger in 2027 and 2028, making attribution difficult.

2. Triofox Flaw Lets Hackers Install Remote

Google’s Mandiant security team has detected n-day exploitation of a critical, previously patched vulnerability (CVE-2025-12480) in Gladinet’s Triofox file-sharing and remote access platform. This high-severity flaw allows attackers to bypass authentication and execute arbitrary code, with exploitation observed nearly a month after a patch was released.

3. Glassworm Found In Three VS Code Addons

Cybersecurity researchers have uncovered three new malicious Visual Studio Code (VS Code) extensions linked to the GlassWorm campaign, which uses an invisible Unicode character trick to hide its code and steal Open VSX, GitHub, and cryptocurrency credentials. Despite earlier removals by Open VSX, the threat has resurfaced, utilizing resilient blockchain-based command-and-control infrastructure to continue spreading and compromising real organizations globally, including a major Middle Eastern government entity.

For more alerts, click here!

Subscribe Now

💥 Cyber Incidents

4. Chinese Breach Exposes Cyber Weapons

A significant data breach was reported last week at Knownsec, a Chinese security company reportedly linked to Beijing and the Chinese military. The breach, revealed by the Chinese infosec blog MXRN, reportedly exposed over 12,000 classified documents, including details on China’s state-owned cyber weapons, internal tools, and a global list of targets.

5. Manassas Schools Close After Cyberattack

Manassas City Public Schools (MCPS) closed all campuses on Monday, November 10th, following a cybersecurity incident that caused widespread connectivity and phone outages across the district. Superintendent Dr. Kevin Newman stated the closure, which does not pose a physical risk to school campuses, is a precautionary step allowing internal and external experts to secure and restore the affected systems.

6. Italian Adviser Targeted By Paragon Spyware

Political communications strategist and former Democratic Party communications director Francesco Nicodemo has been identified as a new target of the sophisticated Paragon spyware surveillance campaign, marking a concerning escalation in digital espionage against Italian political figures. The breach, discovered on January 31, 2025, involved a zero-click attack that compromised Nicodemo’s Android device, potentially exposing sensitive opposition political strategies and communications.

For more incidents click here!

Read Report

📢 Cyber News

7. Yanluowang Broker Pleads Guilty

A Russian national is set to plead guilty to charges related to his role as an initial access broker for the Yanluowang ransomware group, which targeted at least eight U.S. companies between July 2021 and November 2022. The defendant, Aleksey Olegovich Volkov, will face a lengthy prison sentence and be required to pay over $9.1 million in restitution for facilitating attacks that resulted in at least $1.5 million in ransom payments.

8. Forbes AI 50 Firms Leak Secrets

Cloud security firm Wiz analyzed GitHub repositories belonging to the world’s largest AI companies and found that 65% of those with a GitHub presence had leaked verified secrets, such as API keys and credentials, which could expose sensitive information, private models, and training data. Wiz’s comprehensive study, which went beyond traditional scanning to examine full commit history, workflow logs, and contributor repositories, ultimately showed that the total value of companies with verified leaks was over $400 billion.

9. Australia Sanctions North Korea Hackers

Australia, in coordination with the United States, has imposed sanctions on four entities and one individual for their alleged involvement in cybercrime activities that generate illegal revenue to support North Korea’s weapons programs, including cryptocurrency theft and fraudulent IT worker schemes. The government is applying pressure on these illicit networks and urging North Korea to comply with United Nations Security Council resolutions to abandon its weapons programs.

For more news click here

Check Events

💡 Cyber Tip

🐍 GlassWorm Found in Three VS Code Extensions

Researchers have uncovered three malicious Visual Studio Code (VS Code) extensions linked to the GlassWorm campaign. These infected add-ons, ai-driven-dev.ai-driven-dev, adhamu.history-in-sublime-merge, and yasuyuky.transient-emacs, use invisible Unicode characters to hide code that steals credentials from Open VSX, GitHub, and cryptocurrency wallets. The malware has resurfaced despite earlier removals and now uses blockchain-based command and control (C2) systems to stay active.

🔐 What You Should Do

Immediately uninstall the affected extensions and scan your system for suspicious activity.
Revoke and reset GitHub, Open VSX, and crypto wallet credentials.
Avoid installing VS Code extensions from unverified publishers or unknown sources.
Check your installed extensions in VS Code and confirm their legitimacy in official marketplaces.
Monitor for strange commits, repository activity, or unauthorized access.

⚠️ Why This Matters

GlassWorm shows how trusted developer tools can be exploited to spread malware. By hiding code within legitimate-looking extensions and using blockchain for resilience, attackers can maintain long-term access and steal sensitive data. Regular checks, credential updates, and cautious extension management are key to staying secure.