Major Incidents or Breaches

• Over 40 npm packages were compromised in a software supply chain attack, with attackers leveraging a malicious bundle.js file to steal credentials from affected developers and users.
• FinWise Bank disclosed an insider breach impacting 689,000 American First Finance customers. A former employee accessed sensitive files after termination, exposing customer information.
• KillSec ransomware group breached a major Brazilian healthcare software provider, stealing sensitive patient data and affecting a critical element of the healthcare technology supply chain.
• Google confirmed that hackers created a fraudulent account in its Law Enforcement Request System (LERS), potentially enabling unauthorised access to sensitive law enforcement data requests.
• The FBI’s IC3 issued a warning regarding threat actors UNC6040 and UNC6395 targeting Salesforce customers. These groups have conducted data theft and extortion campaigns against organisations using Salesforce, with the FBI sharing indicators of compromise (IoCs).
• Panama’s Ministry of Economy and Finance (MEF) was affected by a cyber incident, as reported in recent threat intelligence bulletins.
• Fairmont Federal Credit Union in West Virginia is notifying 187,000 people of a 2023 data breach that compromised personal, financial, and medical information.

Newly Discovered Vulnerabilities

Major Incidents or Breaches

• The FBI has issued a FLASH alert regarding UNC6040 and UNC6395, two threat actor clusters actively compromising Salesforce environments. These actors are stealing sensitive data and engaging in extortion of affected organisations.

Notable Threat Actor Activity

• Chinese-speaking users are being targeted by a malware campaign leveraging SEO poisoning. The campaign uses fake software distribution sites, hosted via GitHub Pages, to deliver HiddenGh0st, Winos, and kkRAT malware families.
• A new phishing-as-a-service (PhaaS) platform named VoidProxy has been identified. VoidProxy is designed to target Microsoft 365 and Google accounts, including those protected by third-party single sign-on (SSO) services.

Trends, Tools, or Tactics of Interest

Major Incidents or Breaches

• Apple has issued a fourth round of spyware attack notifications to users in France in 2025, confirmed by CERT-FR. These alerts relate to targeted campaigns using sophisticated spyware, with at least four notification waves sent this year.
• The U.S. FBI has issued a flash alert regarding cybercriminal groups UNC6040 and UNC6395, which have conducted data theft attacks targeting Salesforce platforms. Indicators of compromise have been released to assist in detection and response.
• A critical remote code execution vulnerability (CVE-2025-5086) in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management software is being actively exploited. The vulnerability arises from deserialization of untrusted data, allowing attackers to achieve RCE. CISA has issued a warning regarding ongoing exploitation.
• A payment system vendor, KioSoft, took over a year to patch a serious NFC card vulnerability that allowed infinite card top-ups, despite being notified in 2023. The patch has only recently been released.

Newly Discovered Vulnerabilities

Major Incidents or Breaches

• Apple has sent a fourth round of spyware notifications to users in France in 2025, with CERT-FR confirming a targeted spyware campaign against Apple device users in the country.
• Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software is being actively exploited via a critical remote code execution vulnerability (CVE-2025-5086), with multiple advisories and warnings from CISA.
• A payment system vendor (KioSoft) reportedly took over a year to patch a critical NFC card vulnerability that enabled infinite card top-ups, despite being notified in 2023.
• A new ransomware group called Yurei was identified, with initial victim data published.

Newly Discovered Vulnerabilities

Major Incidents or Breaches

• The UK train operator LNER disclosed a data breach involving a third-party supplier, resulting in the compromise of customer contact information and other data.
• Panama’s Ministry of Economy and Finance reported a cyberattack claimed by the INC ransomware group, with indications that at least one computer was compromised.
• Cornwell Quality Tools suffered a ransomware attack attributed to the Cactus group, impacting approximately 100,000 individuals.
• Vyro AI experienced a data leak, attributed to poor cyber hygiene, exposing proprietary or sensitive data.
• Apple issued warnings to customers targeted in a recent series of spyware attacks, as confirmed by the French national CERT (CERT-FR).
• Microsoft Exchange Online experienced an outage in North America, disrupting email access for customers.
• Meta faces whistleblower allegations of ignoring child sex abuse risks within its VR “metaverse” environment.

Newly Discovered Vulnerabilities

Major Incidents or Breaches

• Jaguar Land Rover (JLR) confirmed a data breach following a recent cyberattack that forced system shutdowns and operational disruptions. Some company data was stolen in the incident.
• The New York Blood Center began notifying affected individuals about a data breach resulting from a ransomware attack, confirming user data was stolen.
• Plex, a media streaming platform, reported a data breach and advised users to reset their passwords.
• The largest known supply-chain attack in the NPM ecosystem impacted approximately 10% of all cloud environments. Despite the scale, attackers reportedly gained little financial benefit.
• An open-source developer known as “qix” disclosed a compromise of their GitHub account after being socially engineered to surrender access credentials.
• A DDoS mitigation service provider in Europe was targeted by a distributed denial-of-service attack peaking at 1.5 billion packets per second.

Newly Discovered Vulnerabilities

Major Incidents or Breaches

• Plex has disclosed a data breach affecting emails, usernames, password hashes, and authentication data stored in a database. Users have been urged to reset their passwords.
• Wayne Memorial Hospital suffered a breach in May 2024, with hackers stealing names, Social Security numbers, financial information, and protected health information of approximately 160,000 individuals.
• Qantas reduced executive pay following a data breach earlier this year in which threat actors compromised a third-party platform and accessed customer personal information.

Newly Discovered Vulnerabilities

Major Incidents or Breaches

• Multiple popular npm JavaScript packages, collectively exceeding two billion weekly downloads, were compromised in a supply chain attack after a maintainer’s account was accessed via phishing. At least 18–20 high-profile packages were affected, with attackers injecting malicious code to steal cryptocurrency and other sensitive data.
• Salesloft experienced a breach beginning with the compromise of its GitHub account in March. Attackers stole Drift OAuth tokens, which were later used in widespread attacks targeting Salesforce instances in August, impacting at least 22 companies, including major cybersecurity firms such as BeyondTrust, Bugcrowd, CyberArk, Cato Networks, JFrog, and Rubrik.
• A new supply chain attack, dubbed ‘GhostAction’, targeted GitHub workflows, leading to the theft of 3,325 secrets, including PyPI, npm, DockerHub, GitHub tokens, Cloudflare, and AWS keys. Hundreds of repositories were affected.
• Plex, a media streaming platform, suffered a data breach in which a hacker accessed customer authentication data. Customers have been advised to reset their passwords.
• Lovesac, a US-based furniture company, confirmed a data breach following ransomware attack claims, with exposure of personal data for an undisclosed number of individuals.
• Wealthsimple, a Canadian fintech firm, reported a data breach resulting from a supply chain attack, impacting some customer information but not compromising accounts or funds.
• In the second phase of the Nx supply chain attack, over 6,700 private repositories from hundreds of organizations were made public.
• iCloud Calendar infrastructure was abused in a phishing campaign targeting PayPal users, leveraging Apple and Microsoft services to send legitimate-seeming call-back phishing emails.

Newly Discovered Vulnerabilities

Major Incidents or Breaches

• iCloud Calendar invites are being abused to deliver callback phishing emails that appear as purchase notifications. These emails are sent directly from Apple’s own servers, increasing the likelihood of bypassing spam filters and being delivered to users’ inboxes.

Notable Threat Actor Activity

• Threat actors are leveraging Apple’s legitimate iCloud Calendar infrastructure to distribute phishing messages, exploiting the trust and deliverability associated with Apple’s email servers.

Regulatory or Policy Developments Affecting the Security Industry

Major Incidents or Breaches

• The “s1ngularity” NPM supply chain attack has compromised 2,180 GitHub accounts, resulting in the leakage of account tokens and repository secrets. The attack leveraged AI-powered malware to automate the compromise and exfiltration process.
• VirusTotal has identified a phishing campaign leveraging SVG files to impersonate Colombia’s judicial system. The campaign delivers hidden malware through convincing portal interfaces embedded within the SVG files.

Notable Threat Actor Activity

• A threat actor, potentially of Russian origin and tracked as “Noisy Bear,” has been linked to Operation BarrelFire, a phishing campaign targeting the energy sector in Kazakhstan. The activity involves tailored phishing lures and custom malware payloads.

Trends, Tools, or Tactics of Interest