Google Observes ViewState Deserialization Attacks Leveraging Exposed Sample Machine Key
Recent research has identified ongoing ViewState deserialization attacks exploiting an exposed sample machine key that appeared in older deployment guides. This campaign targets web applications using ASP.NET, potentially allowing attackers to execute arbitrary code remotely.
Technical Details of the ViewState Exploit
The vulnerability lies in how some developers followed outdated documentation, leaving a sample machineKey in production environments rather than generating unique keys per deployment. ViewState, responsible for maintaining the state of web pages in ASP.NET, uses cryptographic keys to protect data against tampering. When attackers have access to these keys, they can create malicious ViewState payloads that are accepted and executed by the server.
Attack Methodology
Exploit attempts focus on identifying ASP.NET endpoints susceptible to unsigned or improperly signed ViewState data. Using the sample machineKey, attackers craft serialized objects that take advantage of server-side logic flaws, often culminating in remote code execution capabilities. Automated tools scan for targets and deliver the payload via crafted POST requests.
Mitigation Recommendations
Security teams are urged to audit systems for default or sample cryptographic keys. Transitioning to securely generated unique keys, applying patches, and disabling ViewState MAC where not needed reduce exposure. Application firewalls and strict server-side validation also limit attack avenues.
Chrome Patches High-Severity Use-After-Free Vulnerability in V8 Engine
Google has released an urgent security update for Chrome, addressing a high-severity use-after-free vulnerability in the V8 JavaScript engine that could enable remote code execution. This flaw posed a significant threat to users who browse untrusted sites.
Vulnerability Overview
The exploit centered on improper memory management in the V8 engine; after freeing certain objects, subsequent code paths could access stale pointers, enabling attackers to manipulate program execution flow. Exploitation allowed adversaries to run arbitrary code within the context of the browser, potentially chaining with other vulnerabilities for sandbox escape.
Technical Analysis
Attackers leveraged crafted JavaScript to trigger predictable memory allocations and deallocations, orchestrating use-after-free scenarios that permit execution of malicious code. Proof-of-concept scripts showed how manipulated arrays and buffer operations could corrupt the engine’s memory space.
Security Guidance
Users should apply the latest Chrome update without delay. Organizations are encouraged to monitor browser exploitation attempts, enforce automated patching, and restrict untrusted web access. Developers should review usage of dynamic memory in browser-based engines.
TransUnion Breach Impacts 4.4 Million Individuals
TransUnion, a leading credit reporting agency, confirmed a data breach affecting approximately 4.4 million people. The attackers were able to access sensitive information, fueling concerns over identity theft risks.
Incident Timeline and Discovery
Attackers infiltrated systems by exploiting a vulnerability in web-facing infrastructure, maintaining persistence before being detected by internal monitoring tools. TransUnion reported the breach after confirming unauthorized access to personal data such as names, addresses, Social Security numbers, and credit histories.
Nature of the Compromise
The breach appears to have employed a combination of spear-phishing and exploitation of legacy software vulnerabilities. Forensic analysis showed lateral movement between internal servers, exfiltration of large databases, and attempts to mask activity using encrypted channels.
Response and Impact Mitigation
TransUnion initiated password resets, incident response protocols, and engaged cybersecurity experts to investigate the breach’s full scope. Impacted individuals received notifications and identity protection services. Regulators are coordinating with TransUnion on ongoing assessments.
Attackers Abuse Velociraptor Incident Response Tool for Malicious Access
Threat actors have begun leveraging Velociraptor, a popular open-source incident response tool, to establish persistence and exfiltrate sensitive information from compromised networks. This novel abuse method highlights potential risks in deploying cybersecurity utilities without adequate control.
Attack Vector and Capabilities
Adversaries first obtain privileged access, commonly through phishing or software exploits, then deploy Velociraptor to monitor system activity under the guise of legitimate operations. They use Velociraptor’s built-in scripting and remote command features to stealthily collect credentials, network configurations, and files.
Detection and Defense Measures
Organizations should audit critical assets for unauthorized deployments of security tools. Strict access controls, behavioral monitoring, and inventories of approved software reduce the risk of such abuse. Regularly reviewing logs and restricting tool execution to identified personnel are recommended.
Supply-Chain Attack on npm ‘Nx’ Package Leaks 20,000 Sensitive Files
A supply-chain attack on the npm package ‘Nx’ resulted in the exposure of over 20,000 sensitive internal files from various downstream projects. The compromise underscores the ongoing risks facing open-source package ecosystems.
Attack Chain Breakdown
Attackers gained access to the account of a maintainer, injecting malicious code into several Nx package versions. The payload was designed to enumerate and upload proprietary configuration files, secrets, and source code from users installing or updating affected packages.
Scope and Impact
Developers and organizations using Nx in build processes reported unauthorized file transfers to attacker-controlled servers. The breach led to evaluation of audit protocols, with investigations revealing exposure of API credentials and cryptographic keys in some cases.
Community Response
The npm ecosystem responded swiftly by removing compromised packages and urging all consumers to rotate credentials and perform detailed audits. Package maintainers are adopting stricter security and release procedures.
Android September 2025 Security Update Patches Record 120 Vulnerabilities
Google addressed a record-breaking 120 vulnerabilities in its September 2025 Android security update, including two flaws that were being actively exploited in targeted attacks.
Risk Assessment and Vulnerability Context
The vulnerabilities covered a broad spectrum of Android components, including the kernel, system libraries, and third-party drivers. Two vulnerabilities were actively weaponized, with exploitation methods focusing on privilege escalation and remote code execution on affected devices.
Patching and Recommendations
Device manufacturers are rapidly rolling out the patches, but users are urged to update as soon as possible to mitigate risk. Enterprise device managers should enforce update policies and monitor device health for attempts to exploit unpatched systems.
Legislative Push to Reauthorize the Cybersecurity Act of 2015 and WIMWIG Act
US lawmakers have introduced the Widespread Information Management for the Welfare of Infrastructure and Government (WIMWIG) Act, aiming to extend and reform key cyber threat information sharing frameworks before their expiration. This move has received broad support across telecommunications and critical infrastructure sectors.
Policy Context and Stakeholder Perspectives
The legislation seeks to reauthorize the Cybersecurity Act of 2015, which enabled flexible, trusted sharing of threat indicators between industry and government. Leaders from telecom and defense highlight the role of legal protections and streamlined sharing protocols in enabling rapid detection and response to cyber incidents.
Technical and Strategic Implications
Reauthorizing these frameworks is deemed essential for protecting connected infrastructure from new threat actors and coordinated attacks. Supporters underscore the importance of maintaining cross-sector visibility and up-to-date intelligence feeds to counter evolving tactics.