A week in security (November 17 – November 23)

Last week on Malwarebytes Labs: AI teddy bear for kids responds with sexual content and advice about weapons Fake calendar invites are spreading. Here’s how to remove them and prevent more Budget Samsung phones shipped with unremovable spyware, say researchers What the Flock is happening with...

Malicious code in doordash-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bc2c2fc3e4bccd347a784ca9271e03d26dcc7e89c2e697f9e04b2e1e26cfc80d The package doordash-ui was found to contain malicious code. Source: ossf-package-analysis...

MAL-2025-190617 Malicious code in doordash-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bc2c2fc3e4bccd347a784ca9271e03d26dcc7e89c2e697f9e04b2e1e26cfc80d The package doordash-ui was found to contain malicious code. Source: ossf-package-analysis...

EUVD-2025-198552

Malicious code in doordash-ui npm...

Thieves order a tasty takeout of names and addresses from DoorDash

DoorDash is known for delivering takeout food, but last month the company accidentally served up a tasty plate of personal data, too. It disclosed a breach on October 25, 2025, where an employee fell for a social engineering attack that allowed attackers to gain account access. Breaches like thes...

EUVD-2019-7801

Malware in sbrugna...

CVE-2019-17397

In the DoorDash application through 11.5.2 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat...

DoorDash Hack

A DoorDash driver stole over $2.5 million over several months: The driver, Sayee Chaitainya Reddy Devagiri, placed expensive orders from a fraudulent customer account in the DoorDash app. Then, using DoorDash employee credentials, he manually assigned the orders to driver accounts he and the othe...

Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested

A 22-year-old man from the United Kingdom arrested this week in Spain is allegedly the ringleader of Scattered Spider, a cybercrime group suspected of hacking into Twilio, LastPass, DoorDash, Mailchimp, and nearly 130 other organizations over the past two years. The Spanish daily Murcia Today...

Fla. Man Charged in SIM-Swapping Spree is Key Suspect in Hacker Groups Oktapus, Scattered Spider

On Jan. 9, 2024, U.S. authorities arrested a 19-year-old Florida man charged with wire fraud, aggravated identity theft, and conspiring with others to use SIM-swapping to steal cryptocurrency. Sources close to the investigation tell KrebsOnSecurity the accused was a key member of a criminal hacki...

A week in security (June 19 - 25)

Last week on Malwarebytes Labs: Microsoft Azure AD flaw can lead to account takeover 5 facts to know about the Royal ransomware gang Malwarebytes only vendor to win every MRG Effitas award in 2022 & 2023 UPS warns customers of phishing attempts after data accessed 6 tips for a cybersecure honeymo...

Phishing scam takes $950k from DoorDash drivers

A particularly nasty slice of phishing, scamming, and social engineering is responsible for DoorDash drivers losing a group total of around $950k. DoorDash drivers are contractors who pick up food deliveries from stores and restaurants and deliver the products to the customer. A 21 year old man...

DoorDash Data Breach -Third Party Vendor Blamed Over Phishing Attack

By Deeba Ahmed DoorDash has revealed that hackers managed to steal third-party employee credentials and used them to access some of the company's internal tools and customer data. This is a post from HackRead.com Read the original post: DoorDash Data Breach -Third Party Vendor Blamed Over Phishin...

DoorDash application for Android log message disclosure vulnerability

DoorDash application for Android is an online takeout application from DoorDash USA based on the Android platform. A log information disclosure vulnerability exists in the DoorDash application for Android version 11.5.2, which originates from the abnormal output of log files from a networked syst...

CVE-2019-17397

In the DoorDash application through 11.5.2 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat...

CVE-2019-17397

In the DoorDash application through 11.5.2 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat...

Default credentials

In the DoorDash application through 11.5.2 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat...

CVE-2019-17397

In the DoorDash application through 11.5.2 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat...

CVE-2019-17397

The CVE-2019-17397 entry affects the DoorDash Android app (up to version 11.5.2). The underlying issue is that during authentication, the username and password are written to logs (logcat), making them potentially accessible to attackers who can read the device logs. This describes credential lea...

A week in security (September 23 – 29)

Last week on Labs, we highlighted an Emotet campaign using Snowden’s new book as a lure, discussed how 15,000 webcams are vulnerable to attack, how insurance data security laws skirt political turmoil, and how the new iOS exploit checkm8 allows permanent compromise of iPhones. Other cybersecurity...