In partnership with
⏱️ ≈ 7-minute read
Editor’s Note: Between government shutdowns hobbling defenders, AI companies fending off nation-state hackers, and literal robot botnets, this week feels like someone hit shuffle on the cyber timeline. Grab your coffee and your SOC dashboard — this one’s dense.
📬 This Week’s Clickables
📌 Big News: AI takes on nation-state hackers, and the U.S. Air Force fights SharePoint fallout
🚨 Can’t Miss: CISA on ice, Cl0p on Oracle, ransomware alliances, and zero-click chaos
🤖 AI in Cyber: Browser exploits, poisoned prompts, and agent exfiltration threats
🧪 Strange Cyber Story: Robot botnets are now a thing. Seriously.
🚨 Big Stories
🤖 OpenAI Disrupts Russian, North Korean & Chinese Actors Misusing ChatGPT
Intro:
The AI arms race just turned defensive. OpenAI revealed it has actively dismantled multiple state-linked threat clusters that were using ChatGPT to develop malware and automate offensive cyber operations. It’s the company’s boldest public step yet into the murky world of national security.
What Happened:
OpenAI announced it dismantled three nation-state clusters that were weaponizing ChatGPT — including Russian and North Korean groups building malware prototypes and a Chinese operation converting Chrome extensions into Safari versions to bypass detection. The company said it worked with U.S. intelligence to attribute and shut down the clusters.
Why It’s Important:
It’s the first time OpenAI has publicly named and neutralized government-linked misuse on its platform, setting a precedent for AI provider accountability.
The Other Side:
Skeptics note OpenAI’s detection powers remain opaque — and stopping API abuse is a perpetual game of whack-a-mole.
Takeaway:
AI firms are now de facto participants in the global cyber defense ecosystem.
TL;DR: If the AI arms race wasn’t geopolitical before, it definitely is now.
Further Reading: The Hacker News
In 1986, the U.S. Congress passed the Computer Fraud and Abuse Act (CFAA) — before the first web browser existed. The law still underpins much of modern cybercrime prosecution.Intro:
When even the Air Force gets tripped up by permissions, you know it’s been a week. A seemingly small SharePoint misconfiguration led to a sensitive data exposure inside the U.S. Air Force, forcing an internal lockdown and raising new concerns about cloud governance across defense networks.
What Happened:
The U.S. Air Force confirmed a data exposure incident stemming from a permissions misconfiguration in Microsoft SharePoint that leaked PII and PHI across internal systems. Temporary access suspensions were issued while forensics teams assess the damage. Early indicators suggest the data was inadvertently indexed in a public SharePoint portal.
Why It’s Important:
It underscores how configuration risk — not zero-days — continues to drive high-impact breaches even in hardened government environments.
The Other Side:
Microsoft’s shared-responsibility model means most of the fallout (and blame) will sit with the Air Force’s internal IT.
Takeaway:
Misconfigurations remain the military’s Achilles’ heel — and attackers know it.
TL;DR: Sometimes the weakest link isn’t the software, it’s the checkbox.
Further Reading: TechRadar
Take control of your chaotic inbox
Stop drowning in spam. Proton Mail keeps your inbox clean, private, and focused—without ads or filters.
🔥 Can’t Miss
🏛️ CISA Shutdown Deepens as Cyber Law Expires and Workforce Shrinks
The U.S. government shutdown has gutted CISA’s operations, with only one-third of its workforce — around 889 employees — still active. To make matters worse, the Cybersecurity Information Sharing Act (CISA 2015) expired on October 1, removing legal protections for public-private threat intel exchange. Industry partners warn that this double blow could delay vulnerability alerts for weeks.
👉️ America’s “shield” is now in sleep mode — and adversaries are wide awake.💼 BatShadow Group Deploys New Go-based “Vampire Bot” Targeting Job Seekers
Cybercriminals posing as recruiters are luring job hunters with fake postings, then dropping a Go-based malware chain dubbed Vampire Bot. Once executed, it exfiltrates credentials and screenshots while quietly updating itself via GitHub. Analysts say this marks one of the first large-scale malware campaigns using Go for stealth and adaptability.
👉️ Because nothing says “career growth” like remote code execution.🔗 LockBit, Qilin, and DragonForce Form Ransomware Alliance
Three notorious ransomware groups — LockBit, Qilin, and DragonForce — have announced a “strategic alliance” to share infrastructure, encryption tooling, and affiliates. Researchers believe the collaboration could lead to faster cross-group payload evolution and expanded victim targeting.
👉️ When the bad guys form startups, it’s time to rethink the market share chart.🧩 Oracle Rushes Patch for CVE-2025-61882 After Cl0p Exploits Zero-Day
Oracle released an emergency patch for CVE-2025-61882 after Cl0p ransomware operators began exploiting the flaw in Oracle E-Business Suite to exfiltrate and extort corporate customers. Victims have received ransom notes demanding Bitcoin payments to prevent data publication.
👉️ Patch Tuesday came early — because Cl0p didn’t wait for Tuesday.
It’s 2025. You’re still not on beehiiv?
beehiiv makes creating newsletters effortless: write beautifully, grow endlessly, and earn on autopilot. From day one.
No expensive add-ons. No “maybe if I connect 5 different apps this will work better.” Just one platform that creators, entrepreneurs, and the biggest media brands trust to turn emails into empires.
Thousands of creators (including the absolute genius sending this newsletter) are building real businesses on beehiiv. It’s time for you to get in on the action.
🤖 AI in Cyber
✉️ ShadowLeak: Zero-Click Gmail Data Exfiltration via ChatGPT Deep Research Agent
A zero-click exploit discovered in OpenAI’s Deep Research agent could silently pull Gmail data linked to user sessions. The flaw, now patched, didn’t need user interaction — only a crafted inbound email. It highlights how server-side AI agents can be manipulated from the outside without touching an endpoint.
👉️ When your inbox can hack itself, “click safely” doesn’t cut it anymore.CometJacking: hidden URL instructions leak private data from AI browsers
Researchers exposed “CometJacking,” where invisible instructions embedded in URLs can hijack AI browsers (like Perplexity’s Comet) to reveal emails, docs, or calendar data.
👉️ AI in your browser means your tabs are now potential attack surfaces.Prompt poisoning attacks hijack AI assistants to leak data
Malicious instructions hidden in seemingly benign data fields can manipulate AI agents to perform unintended actions — from exfiltrating credentials to deleting records.
👉️ Every prompt is a possible payload.ForcedLeak in Salesforce’s Agentforce exposes CRM data
(Yes, again — it’s that important.) Researchers showed that simple field injections could command Salesforce’s AI to expose private client data.
👉️ Cross-listed because it’s a textbook case of how AI integrations become security liabilities.
🧟♂️ Strange Cyber
🤖 Humanoid Robots Hit by Bluetooth Worm “UniPwn”
Intro:
Researchers discovered a BLE vulnerability in Unitree’s humanoid robots that allows a self-spreading worm — dubbed UniPwn — to jump between nearby units over Bluetooth, no user input required.
What Happened:
The exploit enables remote attackers to take control of one robot, then automatically spread malware to others in proximity — effectively creating a mobile, autonomous botnet. Researchers demonstrated how infected robots could synchronize movement and overload local networks.
Why It’s Important:
It’s a wake-up call for robotics manufacturers — BLE convenience features often bypass rigorous cybersecurity design, especially in consumer and educational robot models.
The Other Side:
Unitree says firmware updates are rolling out globally, but researchers warn that similar flaws likely exist in other BLE-enabled robotics platforms that share chipsets.
Takeaway:
The future isn’t “robots taking over the world” — it’s robots accidentally infecting each other.
TL;DR: Patch your androids. Before they patch you.
Further Reading: PC Gamer
Thanks for reading this week’s edition. Like what you see? Forward it!
Hate everything you see or have other feedback? Reply back to this email!