Security Bulletin

August 15th, 2025

❓What:

• The city of Saint Paul confirmed the cyber attack they experienced in late July to be a ransomware attack carried out by ransomware gang Interlock. Threat intel company PRODAFT reports that the actors were able to access the city's systems via custom SystemBC Remote Access Trojan (RAT) malware.

• After the incident exceeded city response capacity, the state of Minnesota activated the National Guard's Cyber Protection Unit to work jointly with the city and the FBI in a recovery effort the Mayor has named Operation Secure St. Paul.

• Interlock claims it stole ~66,000 files / 43 GB and has begun leaking data. The mayor said residents’ personal/financial info was "not impacted".

July 14th, 2025

🔍 Key Takeaways

• What happened? Paradox.ai’s AI chatbot “Olivia,” used in McDonald’s McHire hiring platform, contained basic yet critical security flaws. An administrator login was protected by the credentials 123456/123456, and a sequential applicant ID allowed Insecure Direct Object Reference (IDOR) access.

• Scope of exposure: This enabled access to all of the platforms historical chat records, approximately 64 million records, including names, emails, phone numbers, physical addresses, and application data.

• Researchers findings: In 30 minutes, two cybersecurity professionals (Ian Carroll & Sam Curry) accessed a dormant Paradox.ai test admin account and used ID manipulation to review multiple applicants’ chat logs.

July 8th, 2025

❓ What:

• Researchers at Koi Security discovered nearly a dozen Chrome extensions on the official Web Store with approximately 1.7 million combined installations. These extensions, disguised as helpful tools—such as color pickers, VPNs, emoji keyboards, and more—contain hidden malicious capabilities.

• The malicious code, inserted into the extensions via later updates, registers a background listener to capture every visited URL. Data and a unique user ID are sent to a remote server, which could deliver redirect commands to unsafe websites. The extension updates are rolled out silently and automatically by Google's auto-update system without requiring interaction from the end-user.

• Compromised extensions were also found in the Microsoft Edge store, adding another 600,000 installs, making the total infected users over 2.3 million.

June 26, 2025

🔑 Key Takeaways:

• Largest credential leak in ever — most users likely impacted.

• Stolen via info-stealer malware, not just from website breaches.

• No platform is safe: Tech giants and government services alike are affected.