Google has released an urgent security update for its Chrome web browser to fix a vulnerability already being used in active attacks. The flaw, identified as CVE-2025-10585, is the sixth such zero-day vulnerability addressed by the company this year, highlighting a persistent challenge for software security.
This development was part of a significant week in cybersecurity, which also saw law enforcement agencies arrest key members of the Scattered Spider hacking group and researchers demonstrate a new attack method against modern DDR5 computer memory.
Key Takeaways
- Google addressed an actively exploited zero-day vulnerability, CVE-2025-10585, in its Chrome browser.
- Authorities in the U.K. and U.S. arrested members of the Scattered Spider cybercrime group, known for major network intrusions.
- A new penetration testing tool, Villager, has seen rapid adoption, raising concerns about its potential misuse by malicious actors.
- Researchers developed a new technique, Phoenix, to bypass security protections in modern DDR5 RAM modules.
Major Vulnerabilities and Law Enforcement Actions
Google confirmed it is aware that an exploit for CVE-2025-10585 exists in the wild. The vulnerability is a type confusion issue within the V8 JavaScript engine, a core component of the Chrome browser. The company has not released specific details about the attacks to prevent further exploitation while users update their software.
This patch marks the sixth time in 2025 that Google has had to address a zero-day flaw in Chrome, underscoring the continuous efforts by attackers to find and exploit weaknesses in widely used software.
Arrests Target Scattered Spider Hacking Group
In a significant law enforcement operation, authorities in the United Kingdom arrested two teenage members of the Scattered Spider hacking group. Thalha Jubair, 19, and Owen Flowers, 18, were apprehended in connection with a cyberattack on Transport for London (TfL) in August 2024.
Who is Scattered Spider?
Scattered Spider is a financially motivated cybercrime group known for its sophisticated social engineering tactics and aggressive ransomware attacks. The group has targeted numerous large corporations, often gaining initial access by impersonating IT support staff to trick employees into giving up their credentials.
Simultaneously, the U.S. Department of Justice unsealed charges against Jubair for his alleged involvement in at least 120 computer intrusions. These attacks resulted in extortion payments from 47 U.S. entities totaling over $115 million. Separately, a teenage male suspect surrendered to police in Los Angeles for his alleged role in attacks on Las Vegas casinos in late 2023.
Emerging Threats in Software and Hardware
The security landscape is constantly evolving with new tools and attack techniques. This week, a new AI-powered penetration testing tool and a novel hardware attack method came into focus.
AI Pen-Testing Tool 'Villager' Gains Traction
A new tool named Villager, designed for legitimate security testing, has been downloaded nearly 11,000 times from the Python Package Index (PyPI) in just two months. Its rapid adoption has raised concerns among security experts about its potential for dual-use abuse.
The Dual-Use Dilemma
Legitimate security tools like Cobalt Strike and Brute Ratel C4 were originally created for security professionals to test defenses. However, they have become popular weapons for cybercriminals, who use them to carry out attacks. Experts fear Villager could follow a similar path.
The tool's AI capabilities could allow malicious actors to automate and accelerate advanced network intrusions, lowering the barrier to entry for sophisticated attacks.
New RowHammer Attack Defeats DDR5 Memory Protections
Researchers have successfully demonstrated a new technique that bypasses the built-in defenses of modern DDR5 RAM modules. The attack, named Phoenix, is a variation of the RowHammer exploit, which involves rapidly accessing memory rows to cause electrical interference and flip bits in adjacent cells.
"Our reverse-engineering efforts show that significantly longer RowHammer patterns are nowadays necessary to bypass these new protections," the researchers stated. "Our new RowHammer attack, called Phoenix, resynchronizes these long patterns as necessary to trigger the first DDR5 bit flips."
This breakthrough is significant because DDR5 memory was designed with on-chip mitigations specifically to prevent such attacks. A successful exploit could lead to privilege escalation or the theft of sensitive data stored in protected memory regions.
Global Cybercrime and Espionage Developments
International cyber activity this week included the dismantling of a major phishing service and evidence of collaboration between state-sponsored hacking groups.
Microsoft and Cloudflare Disrupt Phishing Service
In a coordinated effort, Microsoft and Cloudflare seized 338 domains used by a Phishing-as-a-Service (PhaaS) operation known as RaccoonO365. The service provided cybercriminals with a toolkit to steal Microsoft 365 credentials.
According to reports, the RaccoonO365 platform was responsible for compromising over 5,000 accounts across 94 countries since July 2024. The service was sold on a subscription basis, with plans costing up to $999 for 90 days, making sophisticated phishing campaigns accessible to less-skilled attackers.
Russian Hacking Groups Turla and Gamaredon Collaborate
Security analysts have uncovered the first known collaboration between two Russian state-sponsored hacking groups, Turla and Gamaredon. Both groups are linked to Russia's Federal Security Service (FSB).
The investigation revealed that Turla, a highly sophisticated espionage group, was using the network access previously gained by Gamaredon to deploy its own advanced backdoor, known as Kazuar, on high-value targets in Ukraine. This tactic allows Turla to operate more efficiently by leveraging the work of another group to select its targets.
Supply Chain and Software Integrity Under Scrutiny
The integrity of the software supply chain remains a critical area of concern, with new attacks targeting open-source repositories and AI development platforms.
Self-Replicating Worm Hits npm Registry
A software supply chain attack infected over 500 packages in the npm registry, a popular repository for JavaScript code. The attack involved a self-replicating worm that, once installed on a developer's machine, would scan for sensitive information like passwords and API keys and send them to a server controlled by the attacker.
The worm was designed to target both Windows and Linux systems, demonstrating the cross-platform nature of modern supply chain threats.
AI Supply Chain Vulnerability Discovered
Researchers from Palo Alto Networks Unit 42 demonstrated a new attack technique called Model Namespace Reuse. This method exploits how AI platforms like Microsoft Azure AI and Google Vertex AI manage machine learning models.
An attacker can re-register the name of a deleted or transferred model on a public repository like Hugging Face. If a developer's pipeline pulls the model by name without verifying its source, it could unknowingly deploy a malicious version, potentially leading to remote code execution. This highlights the need for stricter dependency management in AI development workflows.
