Jan 13, 2026The Hacker NewsThreat Intelligence / Id Safety
Outdated Playbook, New Scale: Whereas defenders are chasing traits, attackers are optimizing the fundamentals
The safety business loves speaking about “new” threats. AI-powered assaults. Quantum-resistant encryption. Zero-trust architectures. However wanting round, it looks like the simplest assaults in 2025 are just about the identical as they had been in 2015. Attackers are exploiting the identical entry factors that labored – they’re simply doing it higher.
Provide Chain: Nonetheless Cascading Downstream
Because the Shai Hulud NPM marketing campaign confirmed us, provide chain stays a significant subject. A single compromised package deal can cascade by means of a complete dependency tree, affecting 1000’s of downstream tasks. The assault vector hasn’t modified. What’s modified is how effectively attackers can determine and exploit alternatives.
AI has collapsed the barrier to entry. Simply as AI has enabled one-person software program tasks to construct subtle purposes, the identical is true in cybercrime. What used to require giant, organized operations can now be executed by lean groups, even people. We suspect a few of these NPM package deal assaults, together with Shai-Hulud, may really be one-person operations.
As software program tasks turn into easier to develop, and menace actors present a capability to play the lengthy recreation (as with the XZ Utils assault) – we’re prone to see extra instances the place attackers publish legit packages that construct belief over time, then in the future, with the press of a button, inject malicious capabilities to all downstream customers.
Phishing: Nonetheless Simply One Click on Away
Phishing nonetheless works for a similar purpose it at all times has: people stay the weakest hyperlink. However the stakes have modified dramatically. The latest npm provide chain assault demonstrates the ripple impact: one developer clicked a nasty hyperlink, entered his credentials and his account was compromised. Packages with tens of thousands and thousands of weekly downloads had been poisoned. Regardless of the developer publicly reporting the incident to npm, mitigation took time – and through that window, the assault unfold at scale.
Official Shops: Nonetheless Not Secure
Maybe most irritating: malware continues to bypass official gatekeepers. Our analysis on malicious Chrome extensions stealing ChatGPT and DeepSeek conversations revealed one thing we already know from cellular app shops—automated evaluations and human moderators aren’t preserving tempo with attacker sophistication.
The permissions drawback ought to sound acquainted as a result of it is already been solved. Android and iOS give customers granular management: you’ll be able to permit location entry however block the microphone, allow digicam entry solely when an app is open, not within the background. Chrome may implement the identical mannequin for extensions – the expertise exists. It is a matter of prioritization and implementation.
As a substitute, customers face a binary selection with extensions requesting permission to “learn info from all web sites.” If an extension asks for that stage of entry, normally it is going to be used for malicious functions, or it’s going to later be up to date to take action.
Attackers do not have the Shiny Instrument Syndrome
Attackers did not throw out their playbook when AI arrived – they automated it. They’re nonetheless exploiting provide chains, phishing builders, and sneaking malware previous reviewers. They’re simply doing it with one-tenth the assets.
We should not be chasing shiny new protection methods whereas the fundamentals nonetheless do not work. Repair permissions fashions. Harden provide chain verification. Make phishing-resistant authentication the default. The basics matter extra now, not much less.
Attackers optimized the fundamentals. What ought to defenders prioritize? Be part of OX for our upcoming webinar: Menace Intelligence Replace: What’s Been Working for Hackers and What Have the Good Guys Been Doing?
We’ll cowl assault strategies gaining traction, what’s really stopping them, and what to prioritize when assets are restricted. Register right here.
Register right here.
Word: This text was solely written and contributed by Moshe Siman Tov Bustan, Safety Analysis Crew Lead at OX.
Discovered this text fascinating? This text is a contributed piece from certainly one of our valued companions. Comply with us on Google Information, Twitter and LinkedIn to learn extra unique content material we put up.
