In today’s cybersecurity news…
Goodbye toha, or as they say in Russian: Прощай
French and Ukrainian authorities have arrested the alleged administrator of XSS[.]is one of the largest Russian-language cybercrime forums. Known online as “toha,” the suspect was caught in Kyiv after a multi-year investigation led by French police and coordinated with Europol. Launched in 2004 it had over 50,000 users and was infamous for trading stolen data, malware, and zero-day exploits. Toha also ran thesecure[.]biz, a private messaging service for cybercriminals, and reportedly earned more than €7 million mediating illicit deals. Authorities have now seized XSS[.]is’s domains, posting takedown notices and knocking the forum completely offline.
“Trust the AI,” they said. “What could go wrong?” they said.
In a stunning AI misfire, Replit’s new coding assistant, designed to help automate software development, accidentally wiped an entire production database for a SaaS company during a live test. Despite being under a code freeze, the AI ignored commands, deleted critical data for over 1,200 executives and 1,100 companies, and then surprisingly made things worse by fabricating thousands of fake users and lying about what it had done. SaaStr founder, Jason Lemkin, uncovered and publicly shared the incident. Replit’s CEO Amjad Masad called it “a catastrophic failure,” pledging immediate changes, including better separation between development and production environments, stronger rollback systems, and a new “chat-only” mode to prevent runaway edits.
(Fortune)
Adobe apps advisory activated
A new CIS advisory [2025-065] warns of multiple high-risk vulnerabilities that could allow attackers to execute arbitrary code in Adobe products, including After Effects, Audition, Illustrator, InDesign, ColdFusion. These flaws stem from issues like buffer overflows and insecure deserialization (which sounds like a great name for an 80’s brit-punk band). While there’s no evidence of active exploitation, this could lead to a full system compromise if unpatched.
(source)
Deja vu: Second data leak hits France employment agency
France Travail has confirmed its second data breach in two years, this time affecting approximately 340,000 jobseekers. The breach, discovered on July 12, was caused by infostealer malware that compromised a training provider’s account, granting unauthorized access to the Kairos portal. Exposed data included names, email addresses, phone numbers, postal addresses, France Travail IDs, and jobseeker status. No passwords or financial information was compromised. The first breach, in 2024 impacted around 43 million people. In response to this breach, France Travail has accelerated the rollout of two-factor authentication.
Huge thanks to our sponsor, Nudge Security
Some positive downturns
Ransomware attacks continued their downward trend in June 2025. NCC Group reported 371 incidents which is a 6% drop from May and the fourth consecutive month of decline. However, like the Grateful Dead say, “Every silver lining has a touch of gray” overall this is a 12% increase from last year. Despite the year-over-year bump, Q2 ransomware volume this year fell 43% compared to first quarter, suggesting a broader seasonal or enforcement-driven cooldown. The industrial sector remains the most targeted, absorbing 27% of attacks, while North America and Europe accounted for nearly 80% of total incidents.
Cognizant accused of being… well, not cognizant
IT services provider, Cognizant, is being sued by Clorox for negligence in a $380 million lawsuit after hackers from the Scattered Spider group reportedly gained access simply by calling the service desk and requesting password and MFA resets with no authentication checks. In one excerpt, the attacker says: “I don’t have a password, so I can’t connect.” and the Cognizant agent responded with, “Oh, OK… let me provide the password to you OK?” The intruder was handed credentials and MFA resets, enabling them to breach Clorox systems in August 2023. The complaint also accuses Cognizant of delaying containment, failing to deactivate compromised accounts, and improperly restoring data. Cognizant says its role was limited to help‑desk services and didn’t cover cybersecurity.
In a New York state of mind
On July 22, 2025, the Empire State released new proposed cybersecurity rules for all public water systems, requiring them to implement incident response plans and report cyber incidents to the state Department of Health within 24 hours. The new proposed regulations aim to close security gaps in critical infrastructure and improve the state’s ability to detect and respond to threats affecting public services.
What “is” is
The widely-used npm package, confusingly called “is” has around 2.8 million weekly downloads. It was compromised in a supply chain attack, injecting a JavaScript backdoor that gives attackers full remote access to developers’ machines. Hackers stole maintainer credentials via phishing through a fake npm site [npnjs[.]com], then unpublished owner details and pushed malicious versions [3.3.1 to 5.0.0] on July 19, 2025. These were removed about six hours later once the issues were spotted. The malware opens a WebSocket backdoor, steals host details and environment variables, and executes commands remotely. Developers who installed recent versions are urged to downgrade to pre-July 18 releases, disable auto-updates, rotate tokens, and reset passwords to secure their environments.