International automotive giant Stellantis data compromised by Salesforce supply chain attack
International automotive giant Stellantis has confirmed that some of its North American customers' data was stolen as a result of a breach of a third-party service provider's platform. The attack involved the Salesforce supply chain and the attackers gained access to customers' address book information through overstepping their authority. The attack is believed to be linked to hacker group ShinyHunters, which claims to have stolen more than 18 million records, including names and contact information, from Stellantis' Salesforce instances.ShinyHunters has attacked Salesforce customers several times since the beginning of the year through voice phishing and other means, affecting companies including Google, Cisco, Adidas, Louis Vuitton, and many others.
Type Obfuscation Vulnerability in Google Chrome V8 Engine (CVE-2025-6554)
Vulnerability description
CVE-2025-6554 is a type confusion vulnerability in the V8 engine in Google Chrome. In Google Chrome before version 138.0.7204.96, a remote attacker can perform arbitrary read and write operations by crafting a malicious HTML page.
Vulnerability affects versions
Google Chrome version is lower than 138.0.7204.96.
Vulnerability Technical Details
CVE-2025-6554 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engines. Type obfuscation vulnerabilities can have serious consequences as they can be exploited to trigger unexpected software behavior that can lead to arbitrary code execution and program crashes.
Vulnerability impact surface assessment
The vulnerability is a zero-day exploit, which means that attackers start exploiting it before a fix is available. In a real-world attack, these vulnerabilities could allow hackers to install spyware, initiate drive-by downloads, or silently run harmful code, sometimes simply by getting users to open malicious websites.
The vulnerability was discovered and reported by Clément Lecigne of Google's Threat Analysis Group (TAG) on June 25, 2025, suggesting that it may have been used in a highly targeted attack that could have involved state-sponsored attackers or surveillance operations.The TAG typically detects and investigates serious threats such as government-sponsored attacks.
Google also noted that the issue was mitigated the next day with a configuration change that was pushed to the stable channel for all platforms. For regular users, this means that the threat may not be widespread yet, but it still needs to be patched urgently, especially if you deal with sensitive or high-value data.
CVE-2025-6554 is the fourth Chrome zero-day vulnerability that Google has addressed since the beginning of the year, joining CVE-2025-2783, CVE-2025-4664, and CVE-2025-5419; however, it's worth noting that it's unclear whether CVE-2025-4664 has been maliciously exploited.
Vulnerability remediation recommendations
To protect against potential threats, it is recommended to update Chrome to 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for macOS and 138.0.7204.96 for Linux.
If you're not sure if your browser has been updated, go to Settings > Help > About Google Chrome. -It should automatically trigger the latest update. For organizations and IT teams managing multiple endpoints, it's critical to enable automatic patch management and monitor browser version compliance.
Users of other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fix as soon as it becomes available.
China's first batch of sub-cybersecurity insurance service pilot policy number exceeds 1,500
China's first batch of sub-network security insurance service pilot achieved remarkable results, landing more than 1,500 enterprise policies, with a total premium scale of more than 150 million yuan and a total insured amount of nearly 11.5 billion yuan. Anti-fraud insurance policies for residents exceeded 2 million policies, with a total premium of more than 24 million yuan and a total insured amount of more than 100 billion yuan. Cybersecurity insurance, as an innovative fusion of cybersecurity and financial services, helps to enhance the ability of enterprises to cope with cybersecurity risks, promote the digital transformation of small and medium-sized enterprises, build a socialized service system for cybersecurity, and promote the high-quality development of the cybersecurity industry.
AdsPower Fingerprint Browser Hacking Incident
AdsPower Fingerprint Browser transparently disclosed a breach, if you are using AdsPower and have installed an extension wallet or manually updated an extension wallet from January 21, 18:00 to January 24, 18:00 (UTC+8), then the extension wallet (e.g., MetaMask, etc.) on your AdsPower may be the version with the backdoor, which backdoor will steal your helper/private key.
The official announcement is below:
Dear users.
On January 24, 2025, the AdsPower security team discovered that some of the Encrypted Wallet plugins were maliciously substituted. We take this very seriously and have fixed the issue at the first opportunity to ensure your data is safe.
To further protect your assets, if you have updated or installed the Encrypted Wallet plugin between January 21st 18:00 and January 24th 18:00 (UTC+8), we recommend that you re-install the plugin and transfer funds to the new Secure Wallet address.
If you do not operate during this time, or do not receive our in-app notifications, then you have nothing to worry about, your account is safe.
However, we understand that this situation may have caused you distress and anxiety. In order to further investigate and ensure that the matter is dealt with thoroughly, we have invited Slow Fog Technology
@SlowMist_Team
Participate in the investigation and collection of evidence.
If you have any questions or need any help, please feel free to contact us through our online customer service at the bottom right corner of the client terminal or by email (support@adspower.net).
Thank you for your understanding and support, the AdsPower team will continue to work hard to ensure that we can provide you with more secure and reliable services🙏.
AdsPower Team
Arresting 70,000 people and rescuing more than 160, China and many countries jointly operate to combat electric extortion
From August to December 2024, the Lancang Law Enforcement Cooperation Centre organized and implemented the "Seagull" joint law enforcement operation, coordinating the law enforcement departments of six countries, namely Cambodia, China, Lao People's Democratic Republic, Myanmar, Thailand and Viet Nam, to jointly combat regional telecommunication network fraud crimes and their derivatives, as well as crimes of smuggling of firearms and ammunition. During the operation, the parties cracked more than 160 cases of various types, mainly involving wire fraud, arrested more than 70,000 suspects and rescued more than 160 victims.
This year, the Center will launch the second phase of the "Seagull" joint operation at an appropriate time, and continue to focus on combating telecommunication network fraud and its derivative crimes, in particular, making every effort to rescue lost and trapped persons from various countries, so as to effectively safeguard the safety of people's lives and property in various countries of the region, as well as the security and stability of the region.
Healthcare industry leaks data on over 235,000 patients, healthcare organizations pay over $10 million in damages
Recently, a court in the US state of New York has preliminarily approved a $1.5 million (Rs. 10.86 million) settlement agreement for resolving a class action lawsuit against One Brooklyn Health System. The lawsuit stems from a November 2022 cyberattack that resulted in the compromise of sensitive health data of more than 235,000 people.
Under the proposed settlement, eligible class action members can submit claims for up to $2,500 in actual out-of-pocket damages, as well as compensation for time spent dealing with the consequences of the data breach (up to four hours at $25 per hour).
Industry "insiders" bidding, 300,000 homeowners' information leaked.
Recently, the Public Security Bureau of X City, Shandong Province, cracked a case of infringement of citizens' personal information and arrested over 60 suspects. The suspects used the identities of building salespeople to sell owners' names, cell phone numbers, house numbers, household types, ID numbers and bank loan information to decoration, home appliance and furniture companies, involving more than 300,000 pieces of information. "Each roughly ranges from 0.5 yuan to 10 yuan a piece, old neighborhoods are relatively cheap because the owners' willingness to renovate is not great, while those newer neighborhoods, neighborhoods about to be handed over, and villa areas are a bit more expensive for the owners' information." The case involves more than 200,000 yuan, the police will continue in-depth investigation, and to remind enterprises to strengthen data protection, the public to raise awareness of personal information protection. Once the leakage behavior is found, the police should be timely to protect the rights and interests.
Artificial Intelligence Safety Regulatory System for Cybersecurity Institution Building
Xinhua News Agency has been authorized to release the Decision of the Central Committee of the Communist Party of China on Further Comprehensively Deepening Reforms to Advance Chinese-Style Modernization, which mentions strengthening the network security system and establishing a system for the safety supervision of artificial intelligence.
Massive data breach of sensitive personal information at Canadian healthcare organization
On May 30, 2024, the Qiulong ransomware organization allegedly announced a major data breach involving Indigo ENT Group, a company involved in the hospital and healthcare industry based in Coquitlam, British Columbia, Canada. According to a post shared by the organization, they had infiltrated Indigo ENT's network for several weeks, during which time they claimed to have stolen thousands of pieces of personal, confidential, and protected health information (PHI), as well as patients' personally identifiable information (PII).
Massive data breach of sensitive user information at Peruvian credit bank
BCP Peru's database was allegedly compromised and made available for download. The allegedly compromised data consisted of 57,694 rows, including sensitive customer information such as card type, issue type, bank identification number, cardholder name, account holder name, home address, province of residence, customer ID, and primary phone number. If true, the intrusion poses a significant risk to affected individuals and could lead to identity theft, financial fraud and other malicious activity.