San Mateo, CA, October 6, 2025 — Stories, events, and developments that impacted the cybersecurity landscape last week, including emerging threats, policy changes, and industry responses.
HackerOne bug bounties hit $81M amid AI-driven surge
HackerOne announced that white-hat hackers earned $81 million in rewards over the past year, a 13% increase from the previous period. The platform, which manages nearly 2,000 bug bounty programs for organizations including GitHub, Goldman Sachs, Uber, and the U.S. Department of Defense, reported that its top 10 programs alone paid out $21.6 million. AI-related security issues surged, with vulnerabilities rising more than 200%, and prompt injection flaws rose 540%, making them the fastest-growing threat. HackerOne noted that 1,121 programs now include AI in scope, with autonomous AI agents submitting valid reports. CEO Kara Sprague highlighted the rise of “bionic hackers” using AI to enhance testing as driving factor in the increasing discovery of security issues. Read more.
Red Hat GitHub breach claim could mark tech’s biggest hack
An extortion group calling itself Crimson Collective is claiming to have stolen nearly 570GB of compressed data from Red Hat’s private GitHub, including 28,000 repositories containing source code and confidential information. If confirmed, the breach could be among the largest in tech history, with references to organizations such as Citi, Verizon, Siemens, HSBC, Telefonica, and even the U.S. Senate. Early reviews suggest the data includes credentials, CI/CD secrets, VPN profiles, and deployment blueprints that could fuel further intrusions or extortion. Security experts warn that this highlights deep supply chain risks, as compromised DevOps pipelines and configuration files can ripple through entire ecosystems. Read more.
North Korean IT operatives shift targets beyond U.S. tech
North Korean nationals disguising their identities to secure remote jobs are increasingly expanding beyond U.S. tech firms and into a wide range of industries worldwide, Okta researchers warned. Their analysis linked more than 130 identities to 6,500 job interviews across 5,000 companies since 2021, with evidence of targeting roles in finance, insurance, healthcare, manufacturing, public administration, and professional services. While many efforts still focus on IT and engineering positions, North Koreans are also pursuing finance-related roles like payments processing. Okta found that 27% of targeted jobs are now outside the U.S., with the U.K., Canada, and Germany being top destinations. “It’s possible that increased awareness of this threat — as well as government and private sector collaborative efforts to identify and disrupt their operations — may be an additional driver for them to increasingly target roles outside of the US and IT industries,” reads Okta’s report. Read more.
Clop-linked actor sends extortion threats to executives
An actor claiming ties to the Clop ransomware group has been sending extortion emails to executives at multiple organizations since September 29, according to Google. The emails allege the theft of sensitive Oracle E-Business Suite data, though investigators at Mandiant and Google’s Threat Intelligence Group say there is no evidence yet to validate such claims. Charles Carmakal, CTO of Mandiant at Google Cloud, said the campaign involves “hundreds of compromised accounts,” with at least one linked to FIN11, a financially motivated group that has deployed ransomware in the past. “The malicious emails contain contact information, and we’ve verified that the two specific contact addresses provided are also publicly listed on the Clop data leak site (DLS). This move strongly suggests there’s some association with Clop…,” said Carmakal. However, this does not confirm Clop’s involvement, as cybercriminals often impersonate known groups to amplify pressure. Read more.
Neon call-recording app pulled after massive data exposure
A viral new app called Neon, which pays users for recording and sharing their phone calls to train AI models, has been pulled offline after a major security flaw exposed sensitive data, TechCrunch reports. Launched last week and already among the top-five free iPhone apps, Neon was downloaded 75,000 times in a single day. However, testing revealed that its servers allowed any logged-in user to access others’ call recordings, transcripts, phone numbers, and metadata. TechCrunch confirmed this by intercepting app traffic, uncovering publicly accessible audio and transcripts from user calls. Founder Alex Kiam shut down the app citing the need for “extra layers of security” in an email sent out to customers, but did not make any mention of the exposed user data. Read more.
Palo Alto confirms new Chinese espionage group Phantom Taurus
According to Palo Alto Networks’ Unit 42, newly identified China-linked espionage group Phantom Taurus has been found to be targeting nearly high-value organizations in the Middle East, Africa and Asia. Operating with extreme stealth since at least 2022, the group focuses on ministries of foreign affairs, embassies, diplomats, and telecoms to collect sensitive geopolitical intelligence. Unit 42 researchers found Phantom Taurus using a unique toolkit, including the newly discovered NET-STAR malware suite, which features stealthy web-based backdoors designed for in-memory execution and evasion. Though its sophistication is high, the group often gains initial access through unpatched internet-facing devices. Assaf Dahan, director of threat research at Palo Alto Networks’ Cortex unit, said that the group’s “entire playbook seems distinct and quite apart from other Chinese threat actors. It’s not something that you can mistake for another group.” Read more.
Corporate boycotts fueled by bot networks and AI amplification
Bot networks, once associated with fraud and state-backed operations, are increasingly being weaponized against corporations, supercharged by generative AI that makes fake accounts easier than ever to generate at scale and harder than ever to trace. Brands including Amazon, Target, McDonald’s, Boeing, and Cracker Barrel have all faced bot-driven campaigns amplifying boycotts and backlash far beyond what real criticism would have been able to. The height of the Cracker Barrel incident occurred just before midnight on August 20, when X was getting around 400 posts about the company’s logo per minute. 70% of the accounts promoting boycotts at that point used duplicate messages, a key marker of coordinated bot activity, said Molly Dwyer, director of insights at PeakMetrics. Experts say attribution is difficult, but financial incentives and divisive engagement are the what drive these attacks. Read more.
Chinese threat actors exploit VMware zero-day since 2024
Broadcom has released patches for a high-severity privilege escalation vulnerability in VMware Aria Operations and VMware Tools that has been actively exploited since October 2024. Tracked as CVE-2025-41244, the flaw was reported by NVISO researcher Maxime Thiebaut in May, but exploitation in the wild was later confirmed by NVISO, which attributed the activity to the Chinese state-sponsored UNC5174 group. The bug allows local attackers to stage a malicious binary in commonly abused paths, such as /tmp/httpd, where VMware service discovery can elevate it to root. NVISO published a proof-of-concept exploit showing root-level compromise on vulnerable systems. Broadcom has not yet issued a public statement about the exploitation. Read more.
OpenAI’s GPT-40 routes conversations to different models
OpenAI has confirmed that GPT-40 may temporarily direct conversations to other models, including GPT-5 variants, as part of its safety framework. Users noticed the unexpected behavior when GPT-40 sessions changed mid-chat, prompting concerns. In an X post, VP of ChatGPT Nick Turley explained that “routing happens on a per-message basis; switching from the default model happens on a temporary basis. ChatGPT will tell you which model is active when asked. As we previously mentioned, when conversations touch on sensitive and emotional topics the system may switch mid-chat to a reasoning model or GPT-5 designed to handle these contexts with extra care.” While routing cannot be disabled, OpenAI described it as a step toward stronger protections as the model learns from real-world use ahead of a wider rollout. Read more.
Cybersecurity job vacancies remain high, stress levels rising
Cybersecurity teams continue to face talent and resource shortages, with ISACA’s new State of Cybersecurity 2025–2026 report showing 65% of organizations have unfilled cyber roles and over half believe their budgets are underfunded. Hiring remains slow, often taking up to six months for both entry- and non-entry-level positions, while retention challenges persist. Only 27% of respondents felt university graduates were well-prepared for cyber roles, citing major skill gaps in incident response, data security, and threat detection. Employers placed higher value on adaptability, hands-on training, and soft skills such as critical thinking and communication. Meanwhile, 66% of cyber professionals said their jobs are more stressful than five years ago, driven by complex threats and rising attack frequency, with social engineering the top cited vector. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles sponsored by NetworkTigers
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
