This week’s roundup covers major security issues ranging from a critical phpBB authentication bypass and compromised WordPress plugins to stealthy long-term intrusion by Velvet Ant and malicious JetBrains Marketplace plugins stealing AI keys. It also highlights cloud and browser risks, including GCP Config Connector privilege escalation, Chrome extension flaws in MaXSS and Spyder, and a supply chain attack affecting more than 1.2 million WordPress sites. #phpBB #VelvetAnt #OptinMonster #TrustPulse #PushEngage #SiderAI #Spyder #MaxAI #MaXSS #ConfigConnector #ShinyHunters
Keypoints
- A critical phpBB flaw allows unauthenticated session hijacking and admin takeover.
- Velvet Ant maintained stealthy access in air-gapped critical infrastructure for years.
- Malicious Chrome extensions MaXSS and Spyder can compromise browser sessions and steal data.
- JetBrains Marketplace plugins were used to exfiltrate developer AI API keys.
- A supply chain attack on OptinMonster-related WordPress plugins may have affected over 1.2 million sites.