Cyber Security Headlines: W4SP stings PyPI, password hubris, Dropbox breached

W4SP malware stings PyPI

The software supply chain security firm Phylum published a report detailing 29 packages in the PyPi registry used to push the W4SP info-stealing malware. These packages appear to all by setup as typosquats, with similar names to popular packages. The attackers copied the original codebase and then injected the malware through the “import” statement. This includes copying the packages setup and README files, so it generates legitimate looking landing pages with mostly working links. W4SP seems focused on stealing Discord tokens, cookies and saved passwords. The malicious packages received over 5,700 downloads at the time of the report. 

(Bleeping Computer)

LastPass warns of security hubris

The password manager released its fifth annual Psychology of Password report, which looked at password behaviors among professionals across age ranges. It found a disconnect between confidence of secure behavior and actual practice in Gen Z. They were the most confident in password management techniques, but were the most likely to use a variation of the same password across sites, relying the most on memorization. 65% of all respondents said they received some cybersecurity education, but of those, only 31% stopped reusing passwords as a result. Almost all respondents, 89%, recognized reusing passwords as a risk, but only 12% used different passwords on different accounts. 

(Dark Reading)

Dropbox breached

The cloud storage provider disclosed the break. It saw threat actors gain access to one of its GitHub accounts through a phishing attack. This led to the theft of 130 code repositories. GitHub notified Dropbox of suspicious behavior on October 14th. Dropbox said the repositories contained credentials like API key used by its developers. The attackers also obtained names and emails from a few thousand “Dropbox employees, current and past customers, sales leads, and vendors.” Stolen code did not include any for its core apps or infrastructure. Attackers never accessed customer accounts, passwords or payment info. 

(Bleeping Computer)

Musk on Twitter bans

One of the big questions since Elon Musk acquired Twitter would be how the self-described “free speech absolutist” would handle previously banned accounts, specifically that of former President Donald Trump. Musk addressed these concerns, saying that the platform will not reinstate banned accounts before there is a clear process to do so. Musk said it will “take at least a few more weeks” to build that process, and that he began talks with civil rights leaders about joining a content moderation council.


Thanks to today’s episode sponsor, Votiro

UFOs are everywhere.They’re in your applications, cloud storage, endpoints, and emails.

That’s right – UFOs – Unidentified File Objects – are hiding in files across your organization. UFOs can contain malware that exfiltrates data or deploys ransomware. And 70% of UFOs can’t be detected by traditional scanning solutions like Anti-Virus and Sandboxing. That’s where Votiro comes in. Votiro prevents UFOs before they hitch a ride in on files – without detection, and without slowing down business.

Do you believe? Learn more at

Google dips its toe into text-to-image

Up until this year, the release of text-to-image engines to the general public caused some concern about how they would be used. With the release of Stability AI’s Stable Diffusion and OpenAI’s DALL-E 2, that theoretical cat is now largely out of the bag. Tortured metaphors aside, Google remains a big name when it comes to AI image generation, but one that so far kept it’s tech away from public hands.

Now it’s making its Imagen text-to-image model available in its AI Test Kitchen. It previously used the space to provide limited access to its LaMDA model. Users won’t have full access to Imagen, but can interact with demos called “City Dreamer” and “Wobble.” The former will use the model to generate elements of a city around a user’s prompt. The latter does the same with creating a little monster. Google wants users feedback on how users try to break the system, as well as how well it works overall. 

(The Verge)

TikTok sends European data to China

The popular social network updated its privacy policy, outlining that European user data can be accessed by its employees outside of the bloc, including in Brazil, Canada, Israel, the US, and China. TikTok claims that employees use the data to make the platform “consistent, enjoyable and safe”. According to its head of privacy in Europe, Elaine Fox, the data will be “subject to a series of robust security controls and approval protocols” using methods recognized under GRPR. This comes as the US government continues to wrangle with TikTok over storing US user data in China. The new policy goes into effect December 2nd. 

(The Guardian)

Twitter disrupts China-based influence operation

The recently transacted social network released data on the covert operation to researchers and the Washington Post. Twitter removed three distinct networks operating out of Japan, taking down 2000 users accounts. These posed as US-based. Two targeted a right-leaning audience, one left-leaning, all of them hitting on hot-button issues including election-rigging, trying to stoke hyper-partisan discord. These takedowns occurred between April and October, with one network tweeting over 250,000 times. Some of these accounts also received not insignificant followings, with one account having over 26,000 followers, and received 180,000 retweets of various conspiracy theories. 


DoJ indicts hacker group for RICO Conspiracy

The US Department of Justice partially unsealed charges against eight individuals involved in a cybercrime organization operating a Racketeer Influenced and Corrupt Organizations or RICO conspiracy. The accused allegedly purchased server credentials of CPAs and tax prep firms on the dark web. They used this access to steal thousands of tax returns, file false returns, and then open back accounts under a fraudulent tax business to receive “tax preparer fees.” The group claimed over $36 million in false refunds, but the actual loss amount appears to be around $4 million. The operators face up to 44 years in prison. 

(InfoSecurity Magazine)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.