Daily Security Briefing 038

October 12, 2025 | Read Online

Discord webhooks abused for stealthy C2, Oracle E-Business Suite exposure risk, Inflation refund smishing targets New Yorkers

Executive Summary

Today’s cybersecurity landscape highlights the growing exploitation of trusted communication platforms as threat actors leverage Discord webhooks for covert command-and-control operations via popular package repositories. Oracle’s E-Business Suite faces a significant vulnerability that could expose sensitive data without authentication, raising concerns about enterprise software security. Meanwhile, phishing continues to evolve, with smishing campaigns targeting specific regions such as New York through impersonation of government agencies. These developments underscore the need for vigilant defense across open source ecosystems, enterprise applications, and user education around social engineering.

Top Articles

Threat Actors Exploit Discord Webhooks for C2 via npm, PyPI, and Ruby Packages
Cybercriminals are increasingly abusing Discord webhooks embedded within open-source packages across npm, PyPI, and RubyGems repositories. These hard-coded webhook URLs serve as covert command-and-control channels, enabling the silent exfiltration of sensitive information like secrets and telemetry without deploying dedicated infrastructure. This method allows attackers to hide malicious activity inside widely used software libraries, complicating detection and mitigation efforts.
GBHackers

New Oracle E-Business Suite Bug Could Let Hackers Access Data Without Login
Oracle has disclosed a critical vulnerability (CVE-2025-61884) affecting its E-Business Suite versions 12.2.3 through 12.2.14, rated with a high severity score of 7.5. This flaw allows unauthenticated attackers to gain unauthorized access to sensitive data, bypassing normal login requirements. Enterprises using affected versions should prioritize applying patches and reviewing access controls to mitigate potential data breaches.
TheHackerNews

Fake ‘Inflation Refund’ Texts Target New Yorkers in New Scam
A widespread smishing campaign is impersonating the New York Department of Taxation and Finance, sending fraudulent texts that promise “Inflation Refunds” to trick recipients into divulging personal and financial details. This targeted social engineering attack exploits current economic concerns to lure victims, emphasizing the persistent risk posed by evolving phishing tactics through SMS channels.
BleepingComputer

Explore vs. Exploit: The Pattern-Novelty Balance
This article discusses the strategic cybersecurity concept of balancing between exploiting known vulnerabilities and exploring new patterns or threats. It analyzes the ongoing challenge for defenders and attackers alike in optimizing resources between refining existing tactics and innovating novel approaches to gain advantage or enhance defenses.
DanielMiessler

AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.