Major Incidents or Breaches

  • Multiple popular npm JavaScript packages, collectively exceeding two billion weekly downloads, were compromised in a supply chain attack after a maintainer’s account was accessed via phishing. At least 18–20 high-profile packages were affected, with attackers injecting malicious code to steal cryptocurrency and other sensitive data.
  • Salesloft experienced a breach beginning with the compromise of its GitHub account in March. Attackers stole Drift OAuth tokens, which were later used in widespread attacks targeting Salesforce instances in August, impacting at least 22 companies, including major cybersecurity firms such as BeyondTrust, Bugcrowd, CyberArk, Cato Networks, JFrog, and Rubrik.
  • A new supply chain attack, dubbed ‘GhostAction’, targeted GitHub workflows, leading to the theft of 3,325 secrets, including PyPI, npm, DockerHub, GitHub tokens, Cloudflare, and AWS keys. Hundreds of repositories were affected.
  • Plex, a media streaming platform, suffered a data breach in which a hacker accessed customer authentication data. Customers have been advised to reset their passwords.
  • Lovesac, a US-based furniture company, confirmed a data breach following ransomware attack claims, with exposure of personal data for an undisclosed number of individuals.
  • Wealthsimple, a Canadian fintech firm, reported a data breach resulting from a supply chain attack, impacting some customer information but not compromising accounts or funds.
  • In the second phase of the Nx supply chain attack, over 6,700 private repositories from hundreds of organizations were made public.
  • iCloud Calendar infrastructure was abused in a phishing campaign targeting PayPal users, leveraging Apple and Microsoft services to send legitimate-seeming call-back phishing emails.

Newly Discovered Vulnerabilities

  • Researchers observed a surge in network scans targeting Cisco ASA devices, raising concerns about a potential upcoming vulnerability or exploitation campaign against these products.

Notable Threat Actor Activity

  • At least 45 previously unreported domains dating back to May 2020 have been linked to China-backed threat actors Salt Typhoon and UNC4841, indicating longstanding cyber-espionage operations using undiscovered infrastructure for persistent access.
  • A campaign attributed to China’s APT41 involved impersonating a US lawmaker to deliver malware to US trade groups, aiming to collect intelligence ahead of trade talks.
  • The GPUGate malware campaign is using paid Google search ads and fake GitHub commits to distribute malware to IT firms, targeting users searching for popular tools.
  • ‘MostereRAT’ malware, deployed by an unidentified threat actor, is designed to evade and disable endpoint detection and response (EDR) tools, enabling long-term persistence on Windows systems.

Trends, Tools, or Tactics of Interest

  • Multiple supply chain attacks are targeting software development ecosystems, with a focus on compromising developer accounts (notably via phishing) to inject malicious code into widely used packages and repositories.
  • Attackers are increasingly targeting CI/CD pipelines and GitHub workflows to steal secrets and credentials at scale.
  • AI-powered ransomware is emerging, with proof-of-concept tools like PromptLock demonstrating the potential for LLM-orchestrated file encryption and extortion.
  • Threat actors are leveraging legitimate cloud services and infrastructure (Apple, Microsoft) to increase the credibility and deliverability of phishing campaigns.
  • Use of HTTP request signatures in new attack traffic was observed in honeypots, indicating evolving tactics for authentication and evasion.

Regulatory or Policy Developments

  • CISA announced its top priorities for securing US infrastructure at the Billington CyberSecurity Summit, with a focus on operational collaboration and innovation between government and industry.
  • Significant cybersecurity industry M&A activity continued, with 27 deals in August involving major vendors including Accenture, CrowdStrike, F5, Okta, and SentinelOne.

Other Security Technology Developments

  • Signal introduced an opt-in feature for end-to-end encrypted cloud backups, enabling users to securely restore chats if devices are lost or damaged.