Major Incidents or Breaches

• A supply chain attack compromised 15 popular Gluestack NPM packages, which collectively have over 950,000 weekly downloads. The compromised packages were modified to include malicious code functioning as a remote access trojan (RAT).
• Two malicious NPM packages, disguised as utility tools, were discovered to be destructive data wipers. When installed, these packages delete entire application directories, causing potential data loss for affected users.

Newly Discovered Vulnerabilities

Major Incidents or Breaches

• Optima Tax Relief, a U.S. tax resolution firm, suffered a Chaos ransomware attack, resulting in the leakage of stolen data.
• Kettering Health, a healthcare provider managing 14 medical centers in Ohio, confirmed a May cyberattack by the Interlock ransomware group, with data exfiltration.
• Ukrainian critical infrastructure was targeted by a new data wiper malware, PathWiper, in a disruptive attack attributed to previously unseen malware.
• 86 million AT&T customer records, including names, dates of birth, phone numbers, email addresses, street addresses, and social security numbers, are reportedly being sold on the dark web.

Newly Discovered Vulnerabilities

Major Incidents or Breaches

• The Interlock ransomware group claimed responsibility for a cyberattack on Kettering Health, leaking data allegedly stolen from the healthcare network’s systems.
• A threat actor has re-released data from the 2021 AT&T breach, this time combining files to directly link Social Security numbers and birth dates to 49 million phone numbers.
• Two members of the ViLE gang were sentenced for breaching a US federal law enforcement web portal and conducting an extortion scheme.
• The U.S. Department of Justice seized cryptocurrency funds and 145 clearnet and dark web domains associated with the BidenCash carding marketplace.
• Cisco Talos researchers reported a destructive ‘PathWiper’ attack using new wiper malware against an unnamed critical infrastructure organization in Ukraine.
• Thousands of Asus routers have been compromised and incorporated into botnets.
• Cybercriminals are exploiting a simple technique to steal Salesforce business data for extortion purposes.
• The FBI issued an alert that the BADBOX 2.0 Android malware campaign has infected over 1 million consumer IoT devices, converting them into residential proxies for malicious use.

Newly Discovered Vulnerabilities

Major Incidents or Breaches

• The Play ransomware gang has breached approximately 900 organizations globally as of May 2025, including critical infrastructure and government entities, according to an FBI advisory.
• Media giant Lee Enterprises has disclosed a data breach affecting nearly 40,000 individuals, resulting from a February 2025 ransomware attack.
• Ukrainian police arrested a hacker who compromised 5,000 accounts at an international hosting company to mine cryptocurrency, causing $4.5 million in damages.
• Ukrainian intelligence claims to have hacked Russian aerospace and defense company Tupolev, developers of strategic bombers.
• Multiple domains of the BidenCash carding market, a dark web marketplace for stolen credit cards and personal data, have been seized in an international law enforcement operation.

Newly Discovered Vulnerabilities

Major Incidents or Breaches

• Victoria’s Secret has delayed its Q1 2025 earnings release due to ongoing corporate system restoration efforts following a security incident on 24 May.
• A data breach at Coinbase has been attributed to bribed customer support representatives at TaskUs in India, leading to data theft from the crypto exchange.

Newly Discovered Vulnerabilities

• Hewlett Packard Enterprise (HPE) released security patches for eight vulnerabilities in StoreOnce, including a critical remote authentication bypass flaw.
• A critical 10-year-old vulnerability in Roundcube webmail software allows authenticated users to execute malicious code.
• Google patched a new Chrome zero-day vulnerability currently being exploited in the wild; this is the third Chrome zero-day exploited this year.
• Two newly disclosed vBulletin vulnerabilities (CVE-2025-48827, CVE-2025-48828) are easily exploitable and present risks to bulletin board deployments.
• CISA has issued a warning regarding active exploitation of a recently patched ConnectWise ScreenConnect vulnerability that allows remote code execution.

Notable Threat Actor Activity

Major Incidents or Breaches

• Cartier disclosed a data breach after its systems were compromised, exposing customers’ personal information.
• The North Face warned customers of a credential stuffing attack in April that resulted in theft of personal information from its website.
• SentinelOne experienced a seven-hour outage due to a software flaw.
• A significant phishing campaign is targeting users in France, using leaked personal data to craft convincing emails.
• The “Russian Market” cybercrime marketplace has become a major platform for trading credentials stolen by information stealer malware.

Newly Discovered Vulnerabilities

Major Incidents or Breaches

• A spear-phishing campaign has been identified targeting Chief Financial Officers (CFOs) and other financial executives across six global regions. Attackers are distributing emails posing as recruiters and leveraging the legitimate remote access tool NetBird to establish persistent access to victims’ systems.

Newly Discovered Vulnerabilities

• A trojanized version of the PuTTY SSH client has been observed in the wild. Attackers are distributing this malicious version to establish unauthorized remote access via a simple SSH backdoor.

Notable Threat Actor Activity

Major Incidents or Breaches

• The U.S. Department of Justice, in coordination with international law enforcement, seized four domains that provided crypting services to cybercriminals. These services enabled threat actors to obfuscate malware and evade detection by security tools.

Newly Discovered Vulnerabilities

• Two information disclosure vulnerabilities have been identified in the core dump handlers apport and systemd-coredump, impacting Ubuntu, Red Hat Enterprise Linux, and Fedora. The flaws could allow attackers to extract password hashes from core dumps.
• Exploit details have been published for a maximum-severity vulnerability (CVE-2025-20188) in Cisco IOS XE Wireless LAN Controller (WLC) software. The flaw allows arbitrary file upload, increasing the risk of exploitation.

Notable Threat Actor Activity

Major Incidents or Breaches

• ConnectWise experienced a breach attributed to a “sophisticated nation state actor,” with subsequent targeting of ScreenConnect customers. Details remain limited.
• Law enforcement took down AVCheck, an online service used by cybercriminals to test malware against commercial antivirus solutions prior to deployment.

Newly Discovered Vulnerabilities

• Two critical vulnerabilities were identified in vBulletin forum software, with one confirmed as being actively exploited in the wild.
• The Q1 2025 vulnerability and exploit report highlights ongoing high rates of published exploits, with notable vulnerabilities in SAP NetWeaver and Microsoft SQL Server among those actively targeted.
• A PNG image was discovered containing concatenated payloads, demonstrating the continued use of file format manipulation for payload delivery.

Notable Threat Actor Activity

Major Incidents or Breaches

• ConnectWise, the developer of ScreenConnect remote access software, disclosed a cyberattack attributed to a suspected nation-state threat actor. The breach impacted a limited number of ScreenConnect customers.
• Victoria’s Secret took its website and some store services offline following a security incident. The company has engaged third-party experts to investigate.
• LexisNexis Risk Solutions reported a data breach affecting over 364,000 individuals, resulting from a December 2024 incident. The breach involved third-party access to customer data, but LexisNexis systems were not directly compromised.
• A Managed Service Provider’s SimpleHelp RMM tool was compromised by the DragonForce ransomware group, who exfiltrated data and deployed ransomware across customer endpoints.
• SentinelOne experienced a global outage affecting 10 commercial customer consoles, including Singularity Endpoint, XDR, Cloud Security, and related services. Services have since been restored.

Newly Discovered Vulnerabilities