CybserSecurity News

Tag: Atlassian

  • The Trusted Trap: How Hackers are Weaponizing GitHub and Jira Notifications to Bypass Filters

    A routine missive from a familiar service has long since ceased to be a hallmark of security. Specialists from Cisco Talos have identified a nascent surge in cyber offensives wherein adversaries exploit the legitimate notification frameworks of GitHub and Jira to disseminate phishing attempts and spam with minimal interference. From an external perspective, these communications manifest as standard alerts from reputable platforms, thereby engendering less suspicion and attaining a higher rate of successful delivery to their intended recipients.

    According to Talos, perpetrators embed deceptive lures directly into the content of automated notifications. Within the GitHub ecosystem, this stratagem revolves around code commits. Attackers forge repositories and infuse the commit descriptions with fraudulent invoices, counterfeit “technical support” prompts, or other data-exfiltration ruses. Once a commit is dispatched, GitHub’s own infrastructure broadcasts the notification. Such correspondence effortlessly satisfies standard authentication protocols—including SPF, DKIM, and DMARC—rendering email filters far less likely to categorize the message as a threat.

    Talos reports that during a five-day observation window, 1.2% of all traffic originating from noreply@github.com contained the keyword “invoice” within the subject line. This activity peaked on February 17, 2026, when the proportion of such deceptive emails escalated to approximately 2.89% of the daily sample.

    With Jira, the methodology diverges. While the platform itself does not permit the alteration of email templates, it allows for the population of project and invitation fields. Adversaries establish projects within Jira Service Management, inserting misleading titles and introductory prose before broadcasting invitations to targeted addresses. Consequently, Atlassian dispatches a branded email where the malicious lure is seamlessly integrated into a trusted template. This technique is particularly hazardous within corporate environments, where Jira notifications are habitually perceived as internal, utilitarian communications.

    Cisco Talos contends that the primary issue lies not in a vulnerability of the platforms themselves, but in the inherent trust afforded to their infrastructure. Criminals utilize the esteemed reputation of SaaS providers as a shroud, circumventing defenses calibrated to verify domain authority and technical authenticity. The authors of the report advocate that organizations scrutinize not merely the sender, but the functional context within the service. This involves analyzing GitHub and Atlassian logs via API, monitoring for anomalous invitations or the creation of dubious projects, and subjecting notifications with atypical content to rigorous secondary verification.

  • Paradox.ai Data Breach: “123456” Password & Nexus Stealer Expose Fortune 500 Clients

    A recent data breach has exposed a critical vulnerability in the systems of Paradox.ai, the developer behind AI-powered chatbots used in recruitment processes at McDonald’s and other Fortune 500 corporations. The cause of this widespread leak? A painfully simple mistake—a password so weak it bordered on the absurd.

    The saga began when security researchers Ian Carroll and Sam Curry gained access to the backend of McHire.com, a platform that utilizes Paradox.ai’s “Olivia” chatbot to process job applications. Their entry point was a dormant test account protected by the infamous password “123456.” This flimsy credential opened the door to a trove of 64 million records, including names, phone numbers, and email addresses of job seekers.

    Paradox acknowledged the legitimacy of the test account, claiming it had been inactive since 2019 and was slated for deletion. The company asserted that only the researchers had accessed the system and emphasized that the exposed data involved only chatbot interactions, not actual job applications.

    But the crisis didn’t end there. An independent analysis of leaked password data revealed that in June 2025, a device belonging to a Vietnamese employee of Paradox was infected with the Nexus Stealer malware. This malicious software specializes in pilfering credentials and authentication data, including cookies and manually entered logins. Once compromised, the employee’s data was made publicly accessible and indexed by breach-tracking services.

    The stolen credentials included hundreds of trivial, repetitive passwords—many differing only in their final characters. Alarmingly, some were used to access client systems for major corporations like Aramark, Lockheed Martin, Lowe’s, and Pepsi. One such password, a mere seven-digit number, was reused across multiple enterprise systems—easily crackable in seconds with modern brute-force tools.

    Particularly troubling is the fact that the breach included logins to the single sign-on platform paradoxai.okta.com, in use since 2020 and equipped with two-factor authentication. While Paradox maintains that most compromised passwords are now obsolete, some still provided access to critical systems such as Okta and Atlassian—whose authentication tokens were valid until December 2025.

    Beyond credentials, the breach exposed session cookies, potentially enabling attackers to bypass multifactor authentication altogether. In several instances, malware also installed backdoors, allowing persistent remote access. One such compromised device—belonging to a Paradox developer in Vietnam—was later found listed for sale online.

    Paradox insists the incident did not impact other customer accounts and claims that security protocols for contractors have been significantly tightened since a 2019 audit. Yet this raises uncomfortable questions: how did an account secured with “123456” survive an audit in a company certified to ISO 27001 and SOC 2 Type II standards? The company explained that in 2019, external contractors were not held to the same security standards as internal staff.

    Further investigation revealed that another Vietnamese employee was infected with similar malware in late 2024. Among the stolen data were GitHub credentials and browser histories suggesting the infection likely occurred through pirated movie downloads—a common infection vector masked as codec installations.

    This episode serves as a stark reminder of the fragility of corporate cybersecurity—even within firms that claim rigorous adherence to industry standards. One forgotten test account and one compromised laptop were all it took to potentially jeopardize the data of numerous global enterprises.

  • CVE-2023-22522: RCE Vulnerability In Confluence Data Center and Confluence Server

    Attention all Confluence Data Center and Confluence Server users: A critical vulnerability, identified as CVE-2023-22522 (CVSS score of 9.0), has been discovered that allows remote code execution (RCE) on affected instances. This vulnerability poses a significant security risk and requires immediate attention.

    Affected Versions

    The RCE vulnerability affects all versions including and after 4.0.0 of Confluence Data Center and Server. For users of Atlassian Cloud sites, there is no need to take any action as these sites are not affected by this vulnerability. Atlassian strongly recommends patching all affected instances to the latest version or a fixed LTS version.

    Vulnerability Details

    This Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. Using this approach, an attacker can execute arbitrary code on the affected Confluence instance, potentially gaining complete control of the system.

    Mitigation

    To mitigate this risk, please follow these steps:

    1. Identify Affected Instances: Determine which Confluence Data Center or Server versions are running in your environment.

    2. Apply Updates: Apply the latest version or one of the fixed LTS versions listed below:

      Confluence Data Center and Server:

      • 7.19.17 (LTS)
      • 8.4.5
      • 8.5.4 (LTS)

      Confluence Data Center:

      • 8.6.2 or later (Data Center Only)
      • 8.7.1 or later (Data Center Only)

    3. Monitor for Anomalies: Continuously monitor your Confluence instances for any suspicious activity or unauthorized access attempts.

    Additional Considerations

    • If you are unable to apply the recommended updates immediately, consider backing up your instance

    • Remove your instance from the internet until you can patch. Instances accessible to the public internet, including those with user authentication, should be restricted from external network access until you can patch.

    Conclusion

    The CVE-2023-22522 vulnerability is a critical security risk that requires prompt attention. By following the recommended mitigation steps and maintaining vigilance, you can effectively protect your Confluence instances from potential exploitation.

  • CVE-2023-22516: A Critical RCE Vulnerability in Atlassian Bamboo

    Atlassian has recently disclosed a critical vulnerability affecting the Bamboo Data Center and Server. This vulnerability, classified as CVE-2023-22516, allows an authenticated attacker to execute arbitrary code on the affected system, posing a severe threat to confidentiality, integrity, and availability.

    CVE-2023-22516 is classified as a high severity Remote Code Execution (RCE) vulnerability, a type of security flaw that allows attackers to execute arbitrary code on a victim’s system remotely. This vulnerability affects versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.0, and 9.3.0 of Bamboo Data Center and Server.

    With a CVSS Score of 8.5, the CVE-2023-22516 is not just a minor threat; it’s a glaring red flag for organizations using the affected versions of Bamboo. The vulnerability enables an authenticated attacker to carry out actions with potentially devastating consequences, including:

    • High Impact to Confidentiality: Private and sensitive information could be accessed and exfiltrated.
    • High Impact to Integrity: Data can be altered or corrupted.
    • High Impact to Availability: Systems and services can be rendered unavailable, causing significant disruptions.

    The vulnerability was discovered by a vigilant private user through Atlassian’s Bug Bounty program, highlighting the importance of collaborative cybersecurity efforts.

    Atlassian, the organization behind Bamboo, has issued an urgent advisory for users to upgrade their systems to the latest versions. For those who cannot immediately move to the newest release, there are specific versions that contain the necessary fixes:

    • For Bamboo Data Center and Server 9.2: Upgrade to a version greater than or equal to 9.2.7.
    • For Bamboo Data Center and Server 9.3: Upgrade to a version greater than or equal to 9.3.4.

    Additionally, for those running Bamboo Data Center and Server on Java 8, it is recommended to use JDK 1.8u121 or newer versions.