Tech Risk Reading Picks

1. AI-powered penetration-testing tool: A new AI-powered penetration-testing framework called Villager, uploaded to PyPI in late July 2025 by a user named stupidfish00, has been downloaded nearly 11,000 times. It is linked to a China-associated firm believed to be Cyberspike, and raised warnings it could be repurposed by criminals. [more]

   1. Operating as a Model Context Protocol (MCP) client, it integrates with Kali Linux toolsets, LangChain, and DeepSeek's AI models to automate testing workflows, handle browser-based interactions, and issue commands in natural language that can then be converted into their technical equivalents. Besides leveraging a database of 4,201 AI system prompts to generate exploits and make real-time decisions in penetration testing, the AI-native penetration testing framework automatically creates isolated Kali Linux containers for network scanning, vulnerability assessment, and penetration testing, and destroys them after a period of 24 hours, effectively covering up traces of the activity.

   2. Analysts found plugins and code resembling known RATs (AsyncRAT) and other offensive utilities, and security firms warn the package’s public availability and automation make it likely to follow the Cobalt Strike path of legitimate tooling becoming widely abused, intensifying the speed, scale, and forensic challenges of AI-driven attacks.

2. Hidden limit of RAG: Google DeepMind’s new research shows that single-vector embeddings (the backbone of RAG and semantic search) have a fundamental mathematical limit: they cannot represent all possible ways documents may be relevant to queries, no matter the model size or training data. This ceiling becomes critical as tasks grow more complex and combinatorial, where queries require multiple documents or abstract relationships. Tests on the LIMIT dataset revealed that state-of-the-art embedding models fail badly (often <20% recall), while older sparse methods like BM25 perform far better, underscoring the structural flaw. For enterprises, the takeaway is clear: embedding-based retrieval isn’t a panacea. Leaders should watch for warning signs (queries needing multiple documents failing), adopt hybrid architectures (dense + sparse retrieval), and rethink benchmarks to build more resilient, future-proof AI systems. [more]

3. OpenAI’s new guardrails for teens: OpenAI has announced new safety measures for ChatGPT following concerns about teens forming parasocial bonds with AI and a lawsuit tied to a suicide case. The company will now segment users by age, restricting those under 18 from accessing features such as “flirtatious” responses or discussions of suicide and self-harm, even if prompted under the guise of creative writing. OpenAI is building an age-prediction system and may require ID verification. Parents will soon gain new controls to link to their teen’s account, manage features, set blackout hours, and receive alerts if ChatGPT detects signs of acute distress. This also include law enforcement involvement in emergencies. These moves signal OpenAI’s effort to mature its platform, safeguard young users, and set industry expectations as generative AI adoption continues to grow. [more]

4. New campaigns use LLM to attack hotels: The threat actor TA558, linked to the group tracked by Kaspersky as RevengeHotels, has launched new campaigns targeting hotels in Brazil and Spanish-speaking markets, deploying remote access trojans (RATs) such as Venom RAT via phishing emails disguised as invoices, hotel reservations, or job applications. Observed in summer 2025, these attacks leverage AI-generated scripts and PowerShell downloaders to deliver malware. They includes anti-kill mechanisms, persistence features, and capabilities to steal credit card data from hotel systems and online travel agencies. [more]

   1. Active since at least 2015, RevengeHotels has continuously refined its tactics, now employing large language model (LLM) agents to automate and enhance phishing lures, and distributing a wide range of RATs, with the primary goal of compromising hospitality networks and exfiltrating sensitive financial information.

5. Framework for secure AI: Many security operations centers (SOCs) are adopting AI tools without proper integration, rules, or visibility, leaving blind spots that attackers exploit. To address these challenges, a three-part framework is advised: Protect AI (securing models, data, and infrastructure against threats like model poisoning and prompt injection), Utilize AI (integrating automation into detection and response to reduce analyst workload), and Govern AI (ensuring responsible, visible use across organizations). Strong defenses should also include AI-powered phishing and voice screening tools, streamlined alert management, and identity protections such as FIDO2/WebAuthn passkeys, paired with targeted training for high-risk frontline staff. [more]

6. Shadow AI and enterprise productivity challenges: Generative AI is now central to enterprise productivity, but its rapid adoption has outpaced legacy security controls, leaving risks like sensitive data leaks via chatbots or shadow IT unmanaged. The AI security market is crowded yet unclear, as many vendors simply rebrand outdated tools that cannot handle modern AI workflows. To address this, the buyer’s journey must evolve: discovery of sanctioned and shadow AI tools, real-time monitoring to separate safe from risky use, nuanced enforcement through redaction and warnings instead of blunt blocking, and architecture fit that avoids complex deployments. Security leaders should ask whether solutions work without agents, cover BYOD/unmanaged environments, offer more than “block,” and adapt to new AI tools. Blanket bans only drive shadow AI, so the sustainable approach is balancing security with productivity through contextual enforcement. [more]

7. New phishing campaign using AI-generated deepfake military ID: North Korea’s Kimsuky hacking group has launched a new phishing campaign that uses AI-generated deepfake military ID cards to trick victims, marking a shift from its earlier ClickFix tactics that relied on fake pop-ups. [more]

   1. First spotted in July 2025 by Genians Security Center (GSC), the campaign involved emails disguised as messages from South Korea’s defense institutions, luring recipients with a ZIP file containing a fake ID draft. Once opened, the file triggers a hidden program that downloads malware, installs disguised tasks, and compromises the system. The use of AI-generated photos, with a 98% likelihood of being fake, underscores Kimsuky’s evolving social engineering methods.

   2. This development follows previous cases where North Korean actors used AI for fake identities in job interviews, reflecting a wider trend of state-backed hackers exploiting AI tools. GSC warns that advanced defenses like Endpoint Detection and Response (EDR) are critical to counter such increasingly sophisticated threats.

8. Qwen3-Next: Alibaba’s Qwen team has launched Qwen3-Next, a new generation of open-source large language models that push efficiency, scalability, and affordability while rivaling US leaders in performance. Benchmarks place its reasoning capabilities alongside top models like DeepSeek V3.1 and ahead of Google’s Gemini-2.5-Flash-Thinking in some tasks. Qwen3-Next signals a shift toward sustainable architectures and paves the way for Qwen3.5. [more]

   1. Released under Apache 2.0 for free commercial use, the models come in two variants (Instruct and Thinking) and introduce a hybrid architecture that blends Gated DeltaNet (“fast reader”) with Gated Attention (“careful checker”), enabling both speed and accuracy for long-context reasoning.

   2. With an ultra-sparse Mixture-of-Experts design, only 3B of 80B parameters activate per token, delivering high efficiency, lower costs, and throughput gains of over 10× compared to earlier models at long context lengths. Qwen3-Next supports up to 256K tokens natively (validated to 1M), fits on a single Nvidia H200 GPU, and is priced significantly lower than previous versions.

Web3 Cryptospace Spotlight

1. NPM supply chain attack tested by attackers: Despite managing to steal only around $1,100 in crypto assets over four days, an NPM supply chain attack is expanding and is considered a "blueprint for future Web3 fraud." While the initial attack targeted crypto transaction addresses (replacement), a DuckDB package was also compromised, though its malicious versions were not widely downloaded. Security experts warned that the list of affected packages is still evolving and that organizations should assume malicious versions remain available. They also noted that developers were targeted with phishing emails to steal two-factor authentication information. Another crypto security specialist, Cyvers, emphasized that the industry's vulnerability is shifting to the Web2 stack, where attackers are poisoning JavaScript libraries, compromising cloud infrastructure, and hijacking front-end code to manipulate address displays. [more]

2. $2.4 million drain after 10 validator keys lost: Shibarium, Shiba Inu’s blockchain bridge, suffered a $2.4 million flash loan exploit after an attacker borrowed 4.6 million BONE tokens and gained control of 10 of 12 validator keys, allowing them to drain funds, including 224.57 ETH and 92.6 billion SHIB, before developers intervened. The Shibarium team immediately paused network functions, secured remaining assets in a 6-of-9 multisig wallet, and engaged security firms to assess and contain the breach. The stolen BONE tokens remain partially locked due to unstaking delays, giving developers a potential avenue to recover funds. [more]

3. Flash loan vulnerability risking $160M: Marginfi, a Solana-based lending and borrowing protocol, patched a critical flash loan vulnerability that briefly put over $160 million in user funds at risk. The bug, reported by security researcher Felix Wilhelm via Marginfi’s bug bounty program, could have allowed attackers to borrow funds without repayment, but was fixed before any losses occurred. [more]

   1. The flaw arose from a new instruction, transfer_to_new_account, which bypassed repayment checks by shifting liabilities mid-loan. Marginfi promptly deployed a patch to block such account transfers and prevent disabled accounts from being used for repayment.

4. Polygon disrupted: Polygon’s proof-of-stake network experienced 10–15 minute transaction finality delays this week due to a bug in its node software affecting validator synchronization, though block production and checkpointing remained intact. Developers addressed the issue by executing a hard fork on September 10, deploying updates to the Bor and Heimdall layers, which restored consensus and milestone operations. While some third-party services and Polygonscan faced temporary disruptions, no funds were at risk, and Ethereum’s security remained unaffected. Following the upgrade, finality returned to normal. [more]