Daily Threat Intel Digest - 2025-11-28

🔴 Critical Threats

GitLab Repositories Expose Over 17,000 Secrets A comprehensive scan of all 5.6 million public GitLab repositories revealed over 17,000 exposed secrets, including passwords, API keys, and other credentials, spread across more than 2,800 unique domains. The sheer volume of sensitive data left in public code represents a significant and ongoing risk. So What? These aren’t just potential vulnerabilities; they are live keys likely being harvested by automated tools right now for initial access, supply chain compromise, and data exfiltration. DevOps and security teams must immediately audit their public-facing code for hardcoded secrets and enforce robust pre-commit secret scanning. Public GitLab repositories exposed more than 17,000 secrets

Cybercriminals Register 18,000 Holiday-Themed Scam Domains FortiGuard Labs is tracking a massive surge in holiday-themed domain registrations, with over 18,000 new domains poised to be used in phishing, credential theft, and online fraud campaigns targeting shoppers and retailers. This is an annual event, but the scale and sophistication of these operations continue to grow. So What? This isn’t a future threat; it’s the infrastructure being built for attacks happening right now. Security teams should proactively block these domains and elevate user awareness about suspicious holiday deals, delivery notifications, and gift card offers. Cybercriminals Register 18,000 Holiday-Themed Domains to Launch Seasonal Scams

French Football Federation Discloses Data Breach The French Football Federation (FFF) confirmed a cyberattack where threat actors used a compromised account to breach administrative management software. The incident highlights the continued effectiveness of credential-based attacks against high-profile organizations. So What? For any organization, this is a reminder that a single compromised account can be a gateway to sensitive data. It underscores the critical need for multi-factor authentication (MFA), rigorous account monitoring, and limiting access based on the principle of least privilege. French Football Federation discloses data breach after cyberattack

⚠️ Vulnerabilities & Exploits

Adversarial Poetry Jails breaks Leading LLMs New research has demonstrated a simple but highly effective method for jailbreaking Large Language Models: turning malicious prompts into poetry. By embedding harmful instructions in verse, researchers successfully bypassed safety filters on dozens of models with high success rates, proving a fundamental weakness in current alignment techniques. So What? This reveals that stylistic changes alone can circumvent sophisticated AI safety controls. For developers and security professionals relying on LLMs for any security-sensitive task, this means current filtering mechanisms cannot be fully trusted and require additional layers of validation. Prompt Injection Through Poetry

Gainsight Token Breach Linked to Salesforce Advisory Customer success platform Gainsight confirmed a security incident where customer tokens were compromised, directly linking the issue to a recent Salesforce security advisory. The breach allowed attackers to access data via the compromised integration tokens. So What? This highlights the interconnected risks of SaaS ecosystems. A vulnerability in one critical platform (Salesforce) can have a cascading effect, compromising all connected applications. Organizations using integrated platforms must treat vendor advisories with urgency and have a plan to rapidly rotate third-party API tokens. Gainsight Verifies Token Breach Linked to Salesforce Advisory, Issues New IOCs

👤 Threat Actor Activity

ShinyHunters Develop Sophisticated New RaaS Tool The notorious data theft group ShinyHunters appears to be making a significant leap into the ransomware world with the development of their own Ransomware-as-a-Service (RaaS) platform, “ShinySp1d3r.” This marks a major evolution in their operations, moving from selling stolen data to directly deploying encryption. So What? The entry of an established, successful data theft group into the RaaS space will likely lower the barrier to entry for other criminals and increase the overall volume and sophistication of ransomware attacks. Defenders should monitor for TTPs associated with ShinyHunters and prepare for potential shifts in their targeting. ShinyHunters Develop Sophisticated New Ransomware-as-a-Service Tool

Poland Arrests Suspected Russian Hacker Targeting Local Networks Polish authorities have detained a Russian national suspected of conducting cyberattacks against organizations within Poland. The arrest underscores the ongoing threat of state-aligned hacking activity against European nations and the increasing willingness of law enforcement to act. So What? This is a tangible example of geopolitical tensions playing out in cyberspace. While the arrest disrupts one operator, it serves as a reminder that organizations, particularly those in critical infrastructure or government-adjacent sectors, are prime targets for state-sponsored groups. Poland Arrests Suspected Russian Hacker Targeting Local Organizations’ Networks

🛡️ Security Tools & Defenses

GitGuardian Uses ML to Triage 10,000 Alerts in Seconds With 23.7 million new secrets discovered on GitHub last year, alert fatigue is a real danger. GitGuardian is using a machine learning model (XGBoost) to rank secret leakage incidents by risk, achieving 3x faster review times and a 75% precision rate on critical alerts. So What? This demonstrates a practical application of AI to cut through the noise and focus on what matters. For SecOps teams, this kind of context-aware, AI-driven prioritization is becoming essential to move from reactive alert-chasing to proactive threat hunting. How Machine Learning Transforms Security Alert Chaos into Actionable Intelligence

GreyNoise Launches Free IP Checker for Botnet Activity GreyNoise has released a new, free utility that allows anyone to check if their IP address has been observed as part of a botnet or conducting malicious activity. The simple web tool provides immediate, actionable information about the security posture of one’s own network connection. So What? This tool empowers both security professionals and everyday users to discover if their devices have been compromised and are being used for malicious purposes without their knowledge. It’s a great first step in a remediation process for anyone who suspects their home or office network may be part of a botnet. New GreyNoise IP Checker Helps Users Identify Botnet Activity

📰 Industry Developments

Man Behind In-Flight Evil Twin WiFi Attacks Gets 7 Years A man in Australia has been sentenced to over seven years in prison for setting up “evil twin” Wi-Fi hotspots in airports to steal sensitive data from travelers’ devices. The case represents a significant legal victory against a common and insidious form of cybercrime. So What? This sentencing sends a strong message that cybercriminals will face serious consequences. It also serves as a critical public awareness campaign about the dangers of using unsecured public Wi-Fi networks, reinforcing the need for VPNs and other secure connection practices. Man behind in-flight Evil Twin WiFi attacks gets 7 years in prison

Security Teams Shift Towards AI-Powered Exposure Management According to a series of industry polls, security professionals are moving beyond traditional vulnerability management to unified exposure management. They are increasingly seeking AI-powered tools to prioritize risks based on business impact and are struggling with operational silos and tool sprawl. So What? This reflects a significant maturation in the security industry’s approach to risk. The focus is shifting from simply finding vulnerabilities to understanding and prioritizing the exposures that matter most to the business, signaling a move towards more strategic, risk-based security programs. Cybersecurity Snapshot: What Security Pros’ Are Saying About Exposure Management, Risk Prioritization, Tool Sprawl and More