📋 Top Headlines at a Glance

1. Friday Squid Blogging: Jurassic Fish Chokes on Squid
2. LinkedIn secretely scans for 6,000+ Chrome extensions, collects data
3. China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing
4. Trump budget proposal would cut hundreds of millions more from CISA
5. Blast Radius of TeamPCP Attacks Expands Amid Hacker Infighting

   Executive Summary: Today's intelligence highlights a complex and escalating threat landscape. We observe active nation-state targeting of European governments, expanding supply chain attack vectors exacerbated by inter-hacker conflicts, and significant privacy concerns stemming from widespread browser data collection by major platforms. Concurrently, proposed budget cuts to critical cybersecurity infrastructure signal potential future vulnerabilities. Organizations must prioritize robust supply chain security, enhance user privacy controls, and remain vigilant against sophisticated phishing and data exfiltration attempts.

🌍 Technical Intelligence Breakdown

🦑 Friday Squid Blogging: Jurassic Fish Chokes on Squid

Dataset provides limited detail regarding specific cyber threats. This entry serves as a general reminder for continuous threat intelligence monitoring.

• Context: A non-cyber-related post about a fossilized fish.
• Implication for Cyber: While not a direct cyber threat, the post's concluding remark about discussing "security stories in the news that I haven’t covered" underscores the constant need for organizations to maintain broad awareness of emerging threats beyond specific, reported incidents.
• Defensive Action: Encourage proactive threat hunting and intelligence gathering from diverse sources to identify risks not yet widely publicized.

🕵️ LinkedIn secretely scans for 6,000+ Chrome extensions, collects data

A new report, dubbed BrowserGate, reveals that LinkedIn is employing hidden JavaScript to scan user browsers for installed extensions and collect device data.

• Discovery: hidden JavaScript scripts are reportedly used on the LinkedIn website.
• Scope: The scripts are designed to scan visitors' browsers for installed extensions.
• Data Collection: The process also collects device data.
• Privacy Implications: This activity raises significant privacy concerns regarding the extent of data collection by online platforms and the potential for profiling users based on their browser configurations and installed software.
• Defensive Action:
  • Advise users to review browser extension permissions and only install necessary, trusted extensions.
  • Consider using browser privacy-enhancing tools that block script execution or fingerprinting attempts.
  • Educate employees on the implications of extensive data collection by web services.

🎯 China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

A China-aligned threat actor, TA416, has resumed targeting European government and diplomatic organizations since mid-2025, following a period of reduced activity. The campaign utilizes PlugX malware and OAuth-Based Phishing.

• Threat Actor: TA416, which overlaps with known groups such as DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda.
• Targeting: European government and diplomatic organizations.
• Timeline: Active since mid-2025, marking a resurgence in the region.
• Attack Vectors: The campaign involves OAuth-Based Phishing, likely to gain access to accounts and data, and the deployment of PlugX malware, a known remote access trojan.
• Defensive Action:
  • Implement robust multi-factor authentication (MFA) across all accounts, especially for OAuth-enabled services.
  • Conduct regular employee training on identifying sophisticated phishing attempts, particularly those leveraging OAuth consent screens.
  • Deploy endpoint detection and response (EDR) solutions capable of detecting PlugX and similar malware.
  • Monitor for unusual OAuth grant requests and suspicious account activity.

✂️ Trump budget proposal would cut hundreds of millions more from CISA

A proposed budget reduction would significantly cut funding for the Cybersecurity and Infrastructure Security Agency (CISA).

• Impacted Entity: The Cybersecurity and Infrastructure Security Agency (CISA).
• Proposed Action: A budget proposal includes cuts of hundreds of millions more from CISA's funding.
• Concerns: A top congressional Democrat has criticized both the scope and nature of the proposed reduction.
• Strategic Implication: Such cuts could severely impact CISA's ability to protect critical infrastructure, respond to cyber incidents, and provide essential cybersecurity services to federal agencies and private sector partners.
• Defensive Action:
  • Organizations should not rely solely on government agencies for their cybersecurity posture.
  • Invest in internal cybersecurity capabilities and threat intelligence sharing networks.
  • Advocate for sustained funding for national cybersecurity initiatives to ensure a robust collective defense.

💥 Blast Radius of TeamPCP Attacks Expands Amid Hacker Infighting

The impact of TeamPCP's supply chain attacks is widening, with organizations disclosing breaches. This situation is further complicated by other threat groups, ShinyHunters and Lapsus$, claiming involvement and creating a murky situation for enterprises.

• Primary Threat: TeamPCP is executing supply chain attacks.
• Expanding Impact: The blast radius of these attacks is expanding, leading to more organizations disclosing breaches.
• Complicating Factors: ShinyHunters and Lapsus$ are reportedly getting involved, taking credit, and contributing to a murky situation for affected enterprises. This hacker infighting can obscure attribution and complicate incident response.
• Defensive Action:
  • Implement stringent supply chain risk management, including vetting third-party vendors and monitoring their security posture.
  • Conduct regular audits of third-party access and permissions.
  • Develop robust incident response plans specifically for supply chain compromises, including clear communication protocols.
  • Enhance monitoring for indicators of compromise (IOCs) related to TeamPCP, ShinyHunters, and Lapsus$.

📉 Threat Landscape & Trends

• Nation-State Resurgence: Persistent and re-energized nation-state activity, specifically from China-aligned groups like TA416, continues to target sensitive sectors such as government and diplomatic entities with sophisticated techniques like OAuth-Based Phishing and PlugX.
• Supply Chain Vulnerability: Supply chain attacks remain a critical vector, with groups like TeamPCP exploiting dependencies, and the landscape is further complicated by hacker infighting and competing claims from groups like ShinyHunters and Lapsus$, making attribution and response challenging.
• Privacy Erosion & Data Collection: Aggressive, often hidden, data collection practices by major platforms, as exemplified by LinkedIn's BrowserGate report, highlight a growing concern over user privacy and the extent of digital footprint tracking.
• Cybersecurity Funding Challenges: Proposed budget cuts to key national cybersecurity agencies like CISA could weaken collective defense capabilities and increase overall systemic risk, requiring organizations to bolster their independent security investments.

📌 Strategic Takeaway

Organizations must adopt a proactive, multi-layered defense strategy that accounts for sophisticated nation-state threats, rigorously secures the supply chain against evolving attack groups, and critically evaluates third-party data collection practices, all while preparing for potential reductions in national cybersecurity support.

---

🔗 References

1. Friday Squid Blogging: Jurassic Fish Chokes on Squid
2. LinkedIn secretely scans for 6,000+ Chrome extensions, collects data
3. China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing
4. Trump budget proposal would cut hundreds of millions more from CISA
5. Blast Radius of TeamPCP Attacks Expands Amid Hacker Infighting