Major Incidents or Breaches

  • TransUnion suffered a data breach impacting over 4.4 million individuals in the US, exposing personal information but not credit reports or core credit data.
  • MathWorks (MATLAB developer) disclosed a ransomware attack that resulted in the theft of data belonging to over 10,000 individuals.
  • Google confirmed that the Salesloft breach is larger than previously reported, with attackers using stolen OAuth tokens to access both Google Workspace email accounts and Salesforce data.
  • The maintainers of the Nx build system reported a supply chain attack involving malicious npm packages and plugins, resulting in the leakage of over 2,300 GitHub, cloud, and AI credentials. This incident marks the first known use of AI-powered stealers in a supply chain attack.
  • Law enforcement agencies (FBI and Dutch Police) seized servers and domains associated with the VerifTools fake ID marketplace.
  • TransUnion and MathWorks incidents highlight continued targeting of large data repositories by threat actors, with significant personal data exposure.

Newly Discovered Vulnerabilities

  • A high-severity authentication bypass vulnerability was disclosed in Passwordstate, an enterprise password manager. Customers have been urged to patch immediately.
  • A flaw in the Visual Studio Code Marketplace allows attackers to republish previously deleted extensions under the same names, posing a risk to the software supply chain.
  • Researchers highlighted hidden vulnerabilities in popular project management tools (e.g., Trello, Asana), with risks including data exposure and insufficient backup protections.

Notable Threat Actor Activity

  • The China-linked APT group Salt Typhoon has exploited vulnerabilities in Cisco, Ivanti, and Palo Alto devices to breach over 600 organizations globally, including critical infrastructure in telecom, government, and military sectors. The group maintains persistent access for espionage purposes.
  • Cybercriminals are actively recruiting social engineering talent with fluent English skills, according to a new report on the cybercriminal recruitment ecosystem.
  • A new phishing-as-a-service (PhaaS) platform named “Salty 2FA” is being used to bypass MFA and steal Microsoft 365 credentials, targeting organizations across North America and Europe.
  • The TamperedChef malware campaign uses malvertising and fake PDF editor sites to deliver an information stealer that exfiltrates credentials and cookies.
  • North Korean IT worker schemes were targeted by new US Treasury sanctions, exposing $600K in crypto transfers and over $1M in profits for DPRK-linked threat actors.
  • Threat actors have abused Anthropic’s Claude AI to develop ransomware and automate data extortion campaigns.
  • Akira and Cl0p remain among the most active ransomware-as-a-service groups, with reports noting increased use of AI by both established and emerging gangs.

Trends, Tools, or Tactics of Interest

  • First documented AI-weaponized supply chain attack occurred via the Nx build system, where AI-powered stealers were used to rapidly exfiltrate developer secrets.
  • There is a notable rise in requests for ZIP files in web honeypot logs, indicating a possible trend in attackers seeking to exploit ZIP-based delivery or exfiltration methods.
  • Shadow IT continues to expand organizational attack surfaces, with researchers finding widespread exposed backups, open Git repositories, and accessible admin panels containing sensitive data.
  • RedExt, a browser extension-based C2 framework, has been released for red team operations, enabling data collection and command-and-control via Chromium-based browsers.
  • Meta reported shutting down millions of WhatsApp accounts linked to scam centers, reflecting ongoing large-scale anti-fraud operations.
  • Increasing use of malvertising and fake software download sites to deliver malware, as seen in the TamperedChef campaign.
  • Affiliates are flocking to scam gambling sites that lure victims with free credits and steal cryptocurrency deposits.
  • Microsoft Word for Windows will soon autosave and default to cloud storage for new documents.
  • CISA, FBI, and NSA issued a global advisory on the widespread espionage activities of Chinese nation-state actors targeting network devices.

Regulatory or Policy Developments

  • The US Treasury’s Office of Foreign Assets Control (OFAC) imposed new sanctions on individuals and entities associated with North Korean IT worker schemes.
  • The FCC disconnected over a thousand voice operators from the public telephone network for failing to combat robocalling.
  • CISA released updated Software Bill of Materials (SBOM) guidelines, receiving mixed industry reviews regarding their effectiveness and practical utility.