Major Incidents or Breaches

  • Over 75 company servers have been breached via active, large-scale exploitation of a critical Microsoft SharePoint zero-day vulnerability (CVE-2025-53770, CVSS 9.8). At least 85 organisations are confirmed affected, with exploitation ongoing since at least July 18th.
  • Over 3,500 websites have been compromised to host stealth JavaScript-based cryptocurrency miners using advanced obfuscation and WebSocket communication to evade detection.
  • Five npm packages were injected with malware following a phishing campaign that resulted in the theft of maintainer tokens, constituting a significant software supply chain attack.

Newly Discovered Vulnerabilities

  • Microsoft SharePoint is affected by two zero-day remote code execution vulnerabilities (CVE-2025-53770 and CVE-2025-53771), both actively exploited in the wild. Emergency patches have been released for some flaws, but at least one remains unpatched. Microsoft recommends applying mitigations and commencing threat hunting.
  • CrushFTP has a critical vulnerability (CVE-2025-54309, CVSS 9.0) under active exploitation, allowing attackers to gain administrative access on unpatched servers.
  • Hewlett-Packard Enterprise (HPE) Aruba Instant On Access Points contain hardcoded credentials, enabling attackers to bypass authentication and access the web interface. Security updates have been released to address the issue.

Notable Threat Actor Activity

  • The PoisonSeed threat group is bypassing FIDO key protections by exploiting QR code phishing and abusing cross-device sign-in features to deceive users into approving malicious authentication requests.
  • EncryptHub (aka LARVA-208/Water Gamayun) is targeting Web3 developers with phishing campaigns using fake AI platforms to distribute the Fickle Stealer information-stealing malware.

Trends, Tools, or Tactics of Interest

  • Attackers are reviving browser-based cryptojacking, compromising thousands of sites with stealthy JavaScript miners that leverage WebSockets for covert communication.
  • A new toolkit, CredMaster, facilitates anonymous password spraying attacks by routing traffic through AWS proxies with rotating IPs to evade detection and throttling.
  • Supply chain attacks on open-source repositories continue, with phishing campaigns targeting package maintainers to steal credentials and inject malicious code.

Regulatory or Policy Developments Affecting the Security Industry

  • Microsoft has issued emergency security guidance and patches for SharePoint zero-days, urging organisations to apply mitigations and conduct compromise assessments due to ongoing exploitation.