Honey Don't. The IT Privacy and Security Weekly update for the week ending December 16th., 2025

EP 270. 
In this week’s update:
Security researchers uncover over 10,000 publicly available Docker Hub images exposing sensitive credentials and API keys, posing severe risks to production systems and AI services.


A former Chinese official now seeking asylum in the United States reveals ongoing transnational harassment by Beijing, leveraging advanced surveillance tools-including those developed by American companies.


European law enforcement dismantles sophisticated "violence-as-a-service" networks in a major operation, arresting 193 suspects accused of recruiting teenagers for real-world attacks and intimidation.


Google announces the upcoming shutdown of its dark web monitoring service, citing user feedback that breach alerts lacked actionable guidance for meaningful protection.


A critical vulnerability in the popular React JavaScript library enables attackers to inject wallet-draining malware into legitimate cryptocurrency platforms, marking the second major supply-chain exploit in recent months.


Hundreds of Porsche vehicles across Russia suddenly become inoperable due to a widespread failure in satellite-dependent anti-theft systems, leaving owners stranded amid ongoing connectivity issues.


Pro-Russian threat actors launch a Telegram-based ransomware-as-a-service platform, only to undermine their own operation by carelessly hardcoding master decryption keys in plaintext.


Over 230 environmental organizations urge Congress to impose a nationwide pause on new data center construction, highlighting the facilities' escalating strain on electricity, water resources, and climate goals driven by AI expansion.


Let’s go have a look, but honey don’t forget the keys!


Global: Over 10,000 Docker Hub Images Found Leaking Credentials, Auth Keys 
https://www.bleepingcomputer.com/news/security/over-10-000-docker-hub-images-found-leaking-credentials-auth-keys/

More than 10,000 Docker Hub container images expose data that should be protected, including live credentials to production systems, CI/CD databases, or LLM model keys.

After scanning container images uploaded to Docker Hub in November, security researchers at threat intelligence company Flare found that 10,456 of them exposed one or more keys.

The most frequent secrets were access tokens for various AI models (OpenAI, HuggingFace, Anthropic, Gemini, Groq).

In total, the researchers found 4,000 such keys.

'These multi-secret exposures represent critical risks, as they often provide full access to cloud environments, Git repositories, CI/CD systems, payment integrations, and other core infrastructure components,' Flare notes.

Additionally, they found hardcoded API tokens for AI services being hardcoded in Python application files, config.json files, YAML configs, GitHub tokens, and credentials for multiple internal environments.

Some of the sensitive data was present in the manifest of Docker images, a file that provides details about the image.

Flare notes that roughly 25% of developers who accidentally exposed secrets on Docker Hub realized the mistake and removed the leaked secret from the container or manifest file within 48 hours.

However, in 75% of these cases, the leaked key was not revoked, meaning that anyone who stole it during the exposure period could still use it later to mount attacks.


So what's the upshot for you?

Flare suggests that developers avoid storing secrets in container images, stop using static, long-lived credentials, and centralize their secrets management using a dedicated vault or secrets manager.


Organizations should implement active scanning across the entire software development life cycle, revoke exposed secrets, and invalidate old sessions immediately.

CN: Chinese Whistleblower Living In US Is Being Hunted By Beijing With US Tech

 https://abcnews.go.com/Technology/wireStory/chinese-whistleblower-now-living-us-hunted-beijing-us-128334783

A former Chinese official says Beijing pursued him across borders using sophisticated surveillance tools, including technology developed by U.S. companies.
According to reporting by ABC News and the Associated Press, Li Chuanliang fled China after learning he had become a target while recovering from cancer abroad.
Even after reaching the United States and seeking asylum, he says the pursuit did not stop.
Li describes being photographed by strangers, having his communications monitored, and watching his assets frozen.
He says Chinese authorities tracked his movements through police databases and used facial recognition to identify people connected to him.
More than 40 friends and relatives were detained, including his pregnant daughter, and three former associates reportedly died while in custody.
Investigators say Li’s case reflects a broader pattern.
China has dramatically expanded its use of surveillance technology to identify, pressure, and punish targets.
Inside China, official figures show nearly 900,000 officials were disciplined last year, far more than a decade ago.
Beijing frames this as anti-corruption enforcement, while critics argue it is also a tool to suppress dissent.
Abroad, the same systems underpin efforts known as Fox Hunt and Sky Net, aimed at forcing officials, dissidents, and suspects to return to China.
U.S. officials have condemned these actions as threats to sovereignty.
Chinese state media claim more than 14,000 people have been repatriated from over 120 countries through arrests, coercion, and pressure on family members.


So what's the upshot for you?
Modern surveillance collapses distance and borders, a reminder that personal data, once exposed, can be leveraged far beyond its original context.
EU: 193 Cybercrims Arrested, Accused of Plotting 'Violence-As-a-Service'

 https://www.theregister.com/2025/12/08/european_cops_arrest_193/

European police wrapped up a six-month investigation into so-called “violence-as-a-service” networks, arresting 193 suspects across multiple countries.
Authorities say organized crime groups were recruiting teenagers online to carry out violent attacks, including murders and intimidation.
The operation, known as Taskforce GRIMM, began in April and involved law enforcement teams from Belgium, Denmark, France, Germany, the Netherlands, Spain, Sweden, the UK and others, working with Europol specialists.
Among those taken into custody were individuals directly linked to planning violent crimes, facilitators accused of enabling these services, and recruiters who allegedly groomed minors.
Police have labeled several key figures as high value.
Some arrests prevented alleged murder plots, with weapons and ammunition seized during coordinated raids.
Investigators highlighted the disturbing trend of encrypted communication tools being used to connect clients and perpetrators.

So what's the upshot for you?
Finally, a little more activity in law enforcement’s response to the hybrid cyber-enabled and physical violence networks that are affecting communities across Europe.
Global: Google will shut down “unhelpful” dark web monitoring tool

 https://cybernews.com/security/google-dark-web-monitoring-shut-down/

Google is discontinuing its dark web monitoring tool early next year.
The service, designed to scan the dark web for users’ personal data and alert them to breaches, will stop scanning for new data on January 15, 2026, and be fully shut down on February 16, 2026.
All associated data will be deleted at that time.
The company acknowledged that feedback showed the tool did not provide clear actions users could take once notified about exposed information.
Google said it wants to focus on tools that deliver more practical security guidance instead of general breach alerts.
Introduced in March 2023 and later expanded to all users, the monitoring feature scanned for compromised names, emails, addresses, and other personal values.
While free and enabled by default, some security researchers found it less reliable than other dark web services.
Users can delete their monitoring profiles in advance through their account settings if they prefer not to wait until the official shutdown.
Google also continues to promote other account protection tools available within its ecosystem.

So what's the upshot for you?
This change marks a shift in how a major technology provider approaches digital risk alerts, reflecting the challenge of turning raw breach data into usable guidance that helps individuals act with confidence... or not.
Global: Second JavaScript Exploit in Four Months Exposes Crypto Sites to Wallet Drainers

 https://www.tradingview.com/news/financemagnates:8ffab2a75094b:0-second-javascript-exploit-in-four-months-exposes-crypto-sites-to-wallet-drainers/

A newly found security flaw in the widely used JavaScript library React is allowing hackers to secretly inject malicious code that can drain cryptocurrency wallets from legitimate sites.
Cybersecurity researchers report that attackers are exploiting this vulnerability to embed wallet drainer scripts into front-end systems on crypto platforms and other web properties.
The vulnerability, tracked as CVE-2025-55182, permits unauthenticated remote code execution, meaning attackers can run their code on affected sites without permission.
Once installed, the malicious scripts trick users into approving fraudulent transactions via deceptive pop-ups or reward prompts.
This is the second major JavaScript-related exploit in four months, underscoring how supply-chain and library vulnerabilities can cascade into serious security risks.
Security Alliance (SEAL), a nonprofit cybersecurity group, noted a marked surge in such wallet drainer attacks targeting crypto sites.
React developers released a patch in early December after the flaw was disclosed by a white-hat researcher, yet unpatched systems remain vulnerable.
Researchers warn that the attacks are not confined to Web3 protocols and can affect any site using the compromised modules.

So what's the upshot for you?
Now you have to watch your web application dependencies as rigorously as your crypto holdings.

RU: All of Russia’s Porsches Were Bricked By a Mysterious Satellite Outage

https://www.autoblog.com/news/all-of-russias-porsches-were-bricked-by-a-mysterious-satellite-outage

Hundreds of Porsche vehicles across Russia have suddenly become inoperable after a failure in their satellite-linked security systems.
Owners in cities like Moscow and Krasnodar found engines blocked, doors locked, and cars effectively turned into expensive immobile objects.
The problem began in late November and affected all Porsche models equipped with the factory Vehicle Tracking System installed since around 2013.
The Vehicle Tracking System uses satellite connectivity to verify a car is not being stolen.
When the connection dropped, the anti-theft protocol activated and immobilized the cars.
Dealerships reported a surge in service calls as owners struggled to start or access their cars.
Technicians have tried workarounds such as rebooting the tracking module or disconnecting car batteries, but many vehicles still cannot be driven.
Porsche has not issued an official statement addressing the cause or scope of the outage.
Some Russian dealers and owners have suggested the outage might be deliberate, though no confirmed evidence supports any targeted action.
Analysts note that modern cars’ reliance on connected systems can turn routine failures into major disruptions.

So what's the upshot for you?
Some drivers reported success after disconnecting their car batteries for up to 10 hours, while others managed to restore function by disabling or rebooting the VTS module entirely.
Some cars spring back to life immediately, while others remain stubbornly offline despite multiple attempts.
As a Note: Porsche halted deliveries and suspended commercial operations in Russia after the invasion of Ukraine in February 2022.
That means there’s no official customer support channel for Russian owners dealing with this crisis.
RU: Russian Hackers Debut Simple Ransomware Service, But Store Keys In Plain Text

https://www.sentinelone.com/blog/cybervolk-returns-flawed-volklocker-brings-new-features-with-growing-pains/

The pro-Russian CyberVolk group resurfaced with a Telegram-based ransomware-as-a-service platform, but fatally undermined its own operation by hardcoding master encryption keys in plaintext.
First, the bad news: the CyberVolk 2.x (aka VolkLocker) ransomware-as-a-service operation that launched in late summer.
It's run entirely through Telegram, which makes it very easy for affiliates that aren't that tech savvy to lock files and demand a ransom payment.
CyberVolk's soldiers can use the platform's built-in automation to generate payloads, coordinate ransomware attacks, and manage their illicit business operations, conducting everything through Telegram.
But here's the good news: the ransomware slingers got sloppy when it came time to debug their code and hardcoded the master keys -- this same key encrypts all files on a victim's system -- into the executable files.
This could allow victims to recover encrypted data without paying the extortion fee, according to SentinelOne senior threat researcher Jim Walter, who detailed the gang's resurgence and flawed code.

So what's the upshot for you?
For this shameful act of stupidity, we'll reserve comment as we don't want to influence your opinion of these utter morons... Oops.

US: More Than 200 Environmental Groups Demand Halt To New US Datacenters

https://www.theguardian.com/us-news/2025/dec/08/us-data-centers

A coalition of more than 230 environmental organizations is calling for a nationwide pause on new data center construction in the United States, escalating opposition to the rapid expansion of artificial intelligence infrastructure.
Groups including Greenpeace and Friends of the Earth argue that the growth of these facilities is driving up electricity costs, straining water supplies, and intensifying climate risks.
In a letter to Congress, the coalition said data centers have expanded quickly with limited regulation to support AI and cryptocurrency computing.
The groups want approvals halted until new rules address emissions, water use, and community impacts.
They contend that unchecked development threatens economic stability, environmental health, and basic utilities.
The pushback is increasingly visible at the local level.
At least 16 major data center projects, valued at roughly $64 billion, have been blocked or delayed after residents objected to higher power bills and heavy water consumption.
Water use has been especially contentious in dry regions where supplies are already under pressure.
If current growth trends continue, data centers could add up to 44 million tons of carbon dioxide by 2030, comparable to putting 10 million additional cars on the road.
Still, advocates say household energy costs are the issue resonating most with voters, as extreme weather and insurance disruptions add to broader economic stress.
Organizers describe the resistance as broad and bipartisan, driven by a perception that everyday consumers absorb the costs while benefits feel distant.

So what's the upshot for you?
AI infrastructure is no longer an abstract tech story, but a factor shaping our local resources, long-term financial exposure, and growing monthly utility bills.
This week's update covered:

The widespread exposure of sensitive keys in Docker images illustrates the dangers of embedding secrets in container builds. Developers might want to prioritize centralized secrets management and routine scanning to prevent lasting breaches even after quick fixes.

The next case highlights how advanced surveillance tools can erase borders, enabling persistent transnational repression. Remember that any personal data, once captured, can fuel harassment far beyond its intended use.

The successful disruption of "violence-as-a-service" networks shows that coordinated law enforcement can counter the dangerous blend of online recruitment and offline crime. Staying cyber-sharp is an essential if these police forces are going to continue protecting communities from evolving hybrid threats.

Google's decision to retire its dark web monitoring feature reflects the challenge of turning breach notifications into truly actionable advice. Users should seek security tools that not only alert but also guide clear, practical steps for protection.  Look here for advice.

Second JavaScript Exploit in Four Months Exposes Crypto Sites to Wallet Drainers:  Repeated supply-chain vulnerabilities in core JavaScript libraries reveal how quickly dependencies can become attack vectors. Maintaining rigorous patch management and dependency monitoring is now as critical as safeguarding cryptocurrency itself.

The mass immobilization of connected vehicles illustrates the hidden risks of over-reliance on remote satellite systems for essential functions. As cars grow smarter, resilience against connectivity failures might be considered among the design priorities.

Even motivated threat actors can sabotage their own operations through basically stupid security oversights like hard-coding keys. This flaw reminds defenders that dumb attacker mistakes can offer unexpected opportunities for recovery without payment.

The growing backlash against unchecked data center expansion ties AI progress directly to real-world strains on energy, water, and household bills. Balancing technological advancement with household bills and sustainable infrastructure is no longer optional but urgent for communities nationwide.
And our quote of the week- “"Honey! Don't forget the armor." – Joe Cervantes
That's it for this week. Stay safe, stay secure, Don’t forget the keys, and we’ll see you in se7en.


Comments

Post a Comment