Mozilla has recently patched a critical security vulnerability in its Firefox Web browser that's being actively exploited in the wild.  Tracked as CVE-2024-9680, the vulnerability is a use-after-free issue in Animation timelines, with attackers exploiting it to execute arbitrary code.  It carries a CVSSv3 vulnerability severity rating of 9.8 out of 10 and has a low attack complexity.  Mozilla noted that no privileges or user interaction is needed to exploit the flaw successfully.

According to security researchers at Sonatype, as open-source software (OSS) consumption soars, there has been a 156% surge in open-source malware.  The security researchers stated that more than 704,102 malicious packages have been identified since 2019, and 512,847 of these have been discovered since November 2023.  The researchers noted that this year has been a record-breaking year for open-source consumption, reaching an estimated 6.6 trillion downloads.

According to the Artificial Intelligence (AI) security company HiddenLayer, codeless, persistent backdoors can be planted in Machine Learning (ML) models by manipulating an AI model's graph. The "ShadowLogic" technique manipulates a model architecture's computational graph representation to initiate behavior defined by the attacker in downstream applications, thus enabling AI supply chain attacks. HiddenLayer notes that threat actors can implant codeless backdoors in ML models using ShadowLogic that persist through fine-tuning and can be used in highly targeted attacks.

The European Union Council has officially adopted the Cyber Resilience Act (CRA), which will introduce EU-wide cybersecurity requirements for products with digital elements.  The new regulation aims to fill the gaps, clarify the links, and make the existing cybersecurity legislative framework more coherent, ensuring that products with digital components are made secure throughout the supply chain and throughout their lifecycle.

According to security researchers at Check Point Research (CPR), a new disinformation campaign, dubbed “Operation MiddleFloor,” has been observed targeting Moldova ahead of its October elections.  The researchers noted that the campaign began in August 2024 and seeks to influence Moldova’s national referendum on European Union membership by fostering negative views of the EU and the country’s pro-European leadership.  Unlike many other disinformation efforts that rely on social media, Operation MiddleFloor is primarily conducted through emails.

Hotel giant Marriott has recently agreed to pay a $52m settlement to 50 US states for a large multi-year data breach impacting 131.5 million American customers.  It is estimated that 339 million guest records were exposed globally in the incident.  According to the Federal Trade Commission (FTC), attackers accessed the database undetected from July 2014 to September 2018.  The impacted records included guests’ personal details, a limited number of unencrypted passport numbers, and unexpired payment card information.

According to Pillar Security's "State of Attacks on GenAI" report, attacks on Large Language Models (LLMs), on average, take 42 seconds to complete, and successful LLM attacks result in sensitive data leakage 90 percent of the time. The report shared new insights regarding LLM attacks and jailbreaks, based on telemetry data and real-world attack examples from over 2,000 AI applications.

"The Wayback Machine," an initiative of the Internet Archive, has suffered a data breach due to a threat actor compromising the website and stealing a user authentication database consisting of 31 million different records. Those who have recently visited archive.org saw a JavaScript alert created by the hacker, saying that the Internet Archive has been breached. The alert mentions "HIBP," which refers to Troy Hunt's "Have I Been Pwned" data breach notification service that allows users to check whether their personal data has been compromised by data breaches.

Researchers at Jscrambler have detailed a new digital skimmer campaign that hides "Mongolian Skimmer" using Unicode obfuscation methods. According to the researchers, the script's obfuscation seemed odd due to all the accented characters. The code's heavy use of Unicode characters, many of which are invisible, makes it difficult for humans to read. At its core, the script utilizes JavaScript's capability to use any Unicode character in identifiers in order to hide malicious functionality. The malware steals sensitive data entered on e-commerce checkout or admin pages.

The US Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have warned about Iranian threat actors targeting the email accounts of individuals associated with national political organizations and campaigns. According to the agencies' joint advisory, threat actors linked to the Iranian Government's Islamic Revolutionary Guard Corps (IRGC) have targeted government officials, activists, journalists, lobbyists, and more to incite conflict and undermine confidence in US democracy.