SecurityWeek Roundup: Apple Beats Mic Flaw, OptinMonster Supply Chain Attack Hits 1.2M Sites, Velvet Ant Decade-Long Stealth
A weekly roundup covers Apple's Beats eavesdropping patch, a supply chain attack on 1.2 million WordPress sites via OptinMonster, and a decade-long stealth operation by China-linked Velvet Ant.
SecurityWeek's weekly cybersecurity news roundup highlights a series of significant but often overlooked stories, including Apple fixing an eavesdropping vulnerability in Beats products, a massive supply chain attack affecting over 1.2 million WordPress sites, and a decade-long stealth campaign by the China-linked Velvet Ant threat actor in air-gapped critical infrastructure.
Apple released firmware update 1B211 for Beats Studio Buds, patching CVE-2025-20701, a high-severity Bluetooth vulnerability that allows nearby attackers to eavesdrop via the microphone on unpaired devices actively seeking connections. The update applies automatically when paired with Apple devices, and CVE-2025-20701 is one of three Bluetooth security issues disclosed last year affecting multiple vendors.
In one of the largest supply chain attacks of the year, attackers compromised Awesome Motive's OptinMonster, TrustPulse, and PushEngage WordPress plugin CDN scripts, injecting malicious JavaScript that creates rogue administrator accounts and a hidden backdoor plugin. The breach stemmed from a compromised UpdraftPlus instance and CDN key, impacting more than 1.2 million WordPress sites globally.
The China-nexus actor Velvet Ant compromised an organization's segregated network starting around 2016, chaining internet-facing footholds, Nginx/FastCGI proxies, and backdoored PAM/OpenSSH components for credential theft and persistent access. The group deployed variants of GS-Netcat, SOCKS5 proxies, and nine pam_unix.so backdoors across hosts, making remediation complex.
Critical vulnerabilities in the SiderAI (Spyder) and MaxAI (MaXSS) agentic side-panel Chrome extensions, with over 10 million combined installs, allow malicious websites to trigger arbitrary extension actions including hidden tab screenshots, AI memory dumps, and potential file access. With no vendor response, users are advised to remove the extensions until fixes are available.
Other notable stories include AWS unveiling Continuum, an AI-powered vulnerability prioritization tool, the US DOT closing its investigation into Delta's CrowdStrike outage response without penalties, and the FTC reporting that imposter scams cost Americans $3.5 billion in 2025. Researchers also linked the Popa Android TV box botnet to Israeli proxy provider NetNut, while a 10-year-old phpBB flaw enables session hijacking, and JetBrains Marketplace plugins were found stealing developer AI keys.