AI Coding Tools Expose Sensitive Data in Massive Security Oversight Israeli cybersecurity firm RedAccess uncovered over 380,000 publicly accessible applications built using low-code and AI-powered tools from Lovable, Base44, Replit, and Netlify, including roughly 5,000 containing sensitive corporate and personal data. The findings, shared with Axios on Monday, highlight how employees without cybersecurity training are inadvertently exposing confidential information through misconfigured privacy settings. RedAccess CEO Dor Zvi revealed the apps were discovered while investigating "shadow AI" unauthorized use of AI tools by employees. Many applications were set to public by default, requiring manual adjustments to restrict access. Some exposed data included: - Medical records (doctor-patient conversations, clinical trial details, hospital staff schedules) - Financial data (internal bank records, customer service logs) - Corporate intelligence (shipping vessel routes, internal incident reports) - Phishing sites impersonating brands like Bank of America, FedEx, and McDonald’s Representatives from the affected platforms responded with mixed reactions. Base44 accused RedAccess of withholding URLs needed for verification, while Lovable acknowledged the reports but noted they lacked technical specifics to act immediately. Replit emphasized that users control app visibility, with CEO Amjad Masad stating RedAccess gave only 24 hours’ notice before public disclosure. Netlify did not respond to requests for comment. Security researchers confirmed that many exposed apps were indexed by Google, making them easily discoverable. Axios independently verified several cases, including: - A hospital app with unredacted patient complaints and staff schedules - A Brazilian bank’s internal financial records - A school app containing lesson recordings and student data The incident underscores how AI-driven "vibe coding" tools designed for non-technical users are enabling rapid, large-scale data exposure. As Zvi noted, the lack of built-in safeguards means even basic security oversights can lead to unintentional public leaks of critical information. Some exposed apps were taken down after companies were notified, but the broader issue of unauthorized AI tool usage in enterprises remains unaddressed.

Emerging and Evolving Ransomware Threats: A 2024–2025 Overview Recent years have seen a surge in sophisticated ransomware operations, with several groups refining tactics, expanding targets, and adapting to law enforcement disruptions. Below is a breakdown of the most active and evolving threats as of late 2024 and early 2025. ### LockBit: A Persistent Threat with Ties to Russia Once the most prolific ransomware-as-a-service (RaaS) operation, LockBit targeted thousands of victims worldwide, including government agencies, critical infrastructure, and private enterprises. Western law enforcement linked the group to Russian national Dmitry Yuryevich Khoroshev, indicted in 2023 alongside two other Russian affiliates. Despite crackdowns, LockBit’s infrastructure and tactics remain influential, with former affiliates migrating to newer RaaS platforms. ### Lynx: A Rebranded RaaS with Aggressive Tactics Emerging as a potential successor to the INC ransomware (sharing 48% of its code), Lynx operates a RaaS model and employs double extortion stealing data before encrypting files with the `.lynx` extension while deleting backups. Between July and November 2024, the group targeted U.S. and U.K. sectors, including energy, oil and gas, retail, and financial services. Despite claims of "ethical" victim selection, its rapid expansion suggests a calculated focus on high-value industries. ### Medusa: A Global RaaS Operation with Russian Links Active since 2022, Medusa exploits vulnerabilities in public-facing systems, phishing, and initial access brokers to breach organizations. Its victims span healthcare, education, manufacturing, and retail across the U.S., Europe, and India. While its core operators are suspected to be Russian-speaking, attribution remains unconfirmed. ### Play: A Low-Profile but High-Impact Threat First detected in June 2022, Play ransomware intensified operations following the disruption of other major groups. Unlike typical RaaS operations, Play avoids dark web advertising, claiming to be a "closed group" for secrecy. However, evidence suggests it collaborates with affiliates. Targets include healthcare, telecommunications, finance, and government services. In October 2024, researchers at Palo Alto Networks’ Unit 42 linked a Play ransomware deployment to North Korea’s APT45, highlighting potential state-sponsored cybercrime crossover. ### Qilin (Agenda): A Russia-Based RaaS with Growing Reach Operating since May 2022, Qilin targets Windows, Linux, and VMware ESXi servers using ransomware written in Golang and Rust. The group avoids attacks in CIS countries but aggressively recruits affiliates, leading to a five-fold increase in victim postings in the second half of 2025. Its rise is attributed to partnerships with initial access brokers, who supply stolen VPN credentials. ### RansomHub: A Rising RaaS with Affiliate-Friendly Terms Emerging in February 2024, RansomHub (formerly Cyclops/Knight) quickly became a dominant threat by recruiting affiliates from disrupted groups like LockBit and ALPHV/BlackCat. Its model offers affiliates a 10% fee or direct ransom collection, making it attractive to cybercriminals. With over 210 victims across healthcare, finance, government, and critical infrastructure in North America and Europe, RansomHub’s rapid growth underscores the resilience of the RaaS ecosystem. ### Scattered Lapsus$ Hunters: A Cybercrime Supergroup Formed in August 2025, this alliance merges Scattered Spider, LAPSUS$, and ShinyHunters, combining expertise in social engineering, help desk compromise, and ransomware deployment. The group ran a Salesforce campaign in August and October 2025, exposing data from Toyota, FedEx, and Disney. Though its leak site was seized in October 2025, the collective’s loose structure and technical sophistication suggest it remains a persistent threat. ### Key Trends - RaaS Dominance: Most groups operate under affiliate models, lowering the barrier for entry. - Double Extortion: Nearly all groups now steal data before encryption to increase leverage. - Geopolitical Ties: Many operations are linked to Russia or North Korea, though direct state sponsorship remains debated. - Rebranding & Adaptation: Disrupted groups often reemerge under new names (e.g., Lynx, RansomHub). - Critical Infrastructure Targeting: Energy, healthcare, and government sectors remain prime targets. As ransomware groups refine their tactics and expand their reach, the threat landscape continues to evolve, with law enforcement actions only temporarily slowing their operations.

AI-Powered Cyberattacks Escalate: Why Traditional Defenses Are Failing AI is transforming cyber threats, making attacks faster, more deceptive, and far costlier with the average AI-enabled breach now exceeding $4.88 million in direct costs, excluding reputational damage or regulatory penalties. Yet the greatest risk isn’t the breach itself; it’s leadership unprepared for an era where attacks evolve in real time, bypass traditional defenses, and exploit human psychology. ### The New Threat Landscape AI-driven attacks are no longer hypothetical. In 2022, a deepfake video of Ukrainian President Volodymyr Zelensky falsely ordering troops to surrender spread rapidly online, demonstrating how easily synthetic media can manipulate public perception. Once requiring Hollywood-level resources, such tools now run on standard laptops, lowering the barrier for attackers while increasing the potential for widespread deception. The impact is already measurable. A 2026 IBM study found that AI-enabled cyberattacks contributed to a 44% rise in breaches targeting public-facing systems in just one year. These attacks don’t follow predictable patterns they learn, adapt, and exploit vulnerabilities autonomously, testing defenses without human intervention. Meanwhile, 77% of executives admit their organizations lack confidence in handling AI-driven threats, according to Accenture’s 2025 State of Cybersecurity Resilience report. ### Why Old Frameworks Fail Traditional risk models, like VUCA (volatile, uncertain, complex, ambiguous), no longer capture the realities of AI-driven threats. Instead, experts describe the current environment as BANI (brittle, anxious, nonlinear, incomprehensible) a paradigm where: - Brittle systems appear robust but collapse under stress (e.g., NotPetya’s 2017 attack, which crippled TNT Express in 40 minutes). - Anxious leaders freeze under pressure, deferring critical decisions due to information overload. - Nonlinear threats defy proportionality small errors (a stolen password, a misconfigured setting) trigger catastrophic failures. - Incomprehensible AI operates as a "black box," making it difficult to predict or govern. ### A New Playbook for Resilience To counter these challenges, organizations must adopt a proactive, adaptive approach. Key strategies include: 1. Assume Breach Is Inevitable - Deploy zero-trust architectures, network segmentation, and manual backups. - FedEx’s 2017 NotPetya response minimized losses through pre-rehearsed crisis protocols, while MGM Resorts’ 2023 ransomware attack triggered by a 10-minute social engineering call cost $100 million due to unprepared leadership. 2. Cultivate AI Fluency Across Leadership - Reverse mentoring programs can bridge knowledge gaps, ensuring executives understand AI’s risks and capabilities. - Hiring should prioritize adaptability over static skills. 3. Align AI Investments with Core Operations - Avoid "pilot purgatory" every AI initiative must tie to measurable business outcomes and resilience, not just growth. 4. Strengthen Governance - Establish cross-functional AI councils to oversee ethics, bias testing, and accountability. - Define clear responsibility for AI failures before incidents occur. ### Critical Questions for Leadership Boards and executives should assess readiness by asking: - Can the business operate for 48 hours without digital systems? - Have leaders completed meaningful AI security training (not just compliance checklists)? - Are AI deployments strengthening resilience, or creating new vulnerabilities? - Can teams make sound decisions without real-time data? The gap between AI’s capabilities and organizational preparedness is widening. The question is no longer if an attack will occur, but whether leaders are equipped to respond when it does.

FedEx has exposed private information belonging to thousands of its customers. It happened after a legacy server was left open without a password. Unencrypted private customer records that were exposed on the server.