Infosec In Brief A security researcher looking at samples of stalkerware discovered an SQL vulnerability that allowed him to steal a database of 62,000 user accounts.
Eric Daigle published a blog post this week detailing how he found a piece of stalkerware he wasn’t familiar with, Catwatchful, and then quickly proceeded to pwn it into temporary oblivion.
Stalkerware or spyware is a form of software used to track people’s computer activity. It is typically installed by parents, spouses, or employers with physical access to the user’s computer, and tends to be undetectable and very hard to remove. The number of stalkerware installations has been steadily on the rise, even as it’s repeatedly been breached by online vigilantes and security researchers.
According to Daigle, Catwatchful is a spyware kit that promises to be undetectable and unstoppable, with only the controller able to make use of it on an infected device or delete it. While it “works really well” for its intended purpose, Daigle also noted that Catwatchful made two POST requests to separate servers when he tried to log into the app.
One of the two servers, it turned out, had no appreciable security system installed, allowing Daigle to copy plaintext login details for all 62,000 Catwatchful accounts in the group’s system, including the administrator’s. Oops.
Working with reporters from TechCrunch, Daigle even managed to help identify the alleged administrator of Catwatchful, as well as get its hosters to take it down.
Unfortunately for its stalkees, Catwatchful has remained online as of this week, Daigle says, with temporary sites stood up to replace seized domains, and patches deployed to address the SQLI vulnerability.
Critical vulnerabilities of the week: Chrome zero day patched
Google moved fast this week to patch a zero-day in the V8 JavaScript engine after it was found being exploited in the wild, so don’t skip this stable channel update for Chrome Desktop on Windows, Mac, and Linux.
The patch addresses CVE-2025-6554 (CVSS 8.1), a type of confusion vulnerability in V8 that allows a remote attacker to perform an arbitrary read/write via a specially-crafted HTML item.
Elsewhere:
- CVSS 9.6 – CVE-2024-45347: Xiaomi Mi Connect Service APP contains a logic flaw that can allow an attacker to gain unauthorized access to a victim’s device.
Another Swiss government partner gets ransomed
The Swiss government said this week that the Radix foundation, an NGO dedicated to healthcare promotion, was hit by ransomware. Given Radix counts a number of government agencies among its customers, the government saw fit to report the matter even though no government data was stolen.
“As Radix has no direct access to Federal Administration systems, the attackers did not gain entry to these systems at any time,” the Swiss government said – but government data on Radix’s own systems isn’t necessarily safe, mind you.
While it hasn’t shared how many government documents may have been exposed this time around, it could be a sizable amount. The Play ransomware gang hit a Swiss government IT supplier last year and made off with some 65,000 government files among more than a million more stolen from the biz.
IDE extension verification is easy to spoof, say researchers
Software supply chain security is a critical part of modern cyber hygiene, and that includes verification of extensions used in IDEs. Unfortunately it’s easy to spoof such verification in several top IDEs, researchers from OX security claim.
Research from the OX team, makers of application-level security products, published research this week showing that verification in VSCode, Visual Studio and IntelliJ IDEA can all be spoofed, allowing for a malicious IDE extension to pass itself off as a trustworthy one.
“The ability to inject malicious code into extensions, package them as VSIX/ZIP files, and install them while maintaining the verified symbols across multiple major development platforms poses a serious risk,” the OX team said.
With verification marks no longer sufficient to judge authenticity of IDE packages, OX recommends only installing extensions directly from official marketplaces rather than from files, while extension developers and IDE makers should be sure there are multiple methods of extension signing available to ensure file security.
It wouldn’t be a roundup without a healthcare breach
Healthcare providers are frequently targeted by data thieves, and for good reason: They’re soft targets, they possess valuable PII, and they often pay up in the case of ransomware. This week’s entrant involves US player Esse Health, based in St Louis, Missouri.
Esse began letting customers know this week that it had been breached in April, and that data belonging to some 263,601 people was possibly stolen. Data included names, addresses, dates of birth and healthcare information – all the usual stuff – though luckily medical records themselves weren’t stolen.
Reports from shortly after indicate the attack affected Esse phone systems and forced offices to cancel some appointments due to other outages.
As is often the case, customers in the firing line are being given some free identity protection service, and the assurance that none of their data has been misused in any way Esse can tell – at least not yet.
CVE program begs you to help it help itself
Things have been a bit perilous for the Common Vulnerabilities and Exposure of late, with the Trump administration letting funding for the program expire until it was saved, for a moment, via a temporary contract extension. CVE board members were reportedly kept in the dark about the end of the program, and now Congress wants a review of the program to check for mismanagement.
In other words, there’s enough to do without thinking about how the CVE program might be improved if it doesn’t vanish down the memory hole, which is where you, dear infosec professional, come in.
The CVE Program has created a pair of working groups, one for security researchers at CVE numbering authorities (CNAs) and another for consumers, which includes basically everyone else.
Research Working Group members will be working to establish research norms and advising other members of the research community with an aim to “promote the CVE program,” while consumers will work to identify what users of the CVE system want and need “to ensure that the CVE Program remains aligned with real-world use cases.”
Make your voice heard at the links above. ®
