Major Incidents or Breaches

  • Over 40 npm packages were compromised in a software supply chain attack, with attackers leveraging a malicious bundle.js file to steal credentials from affected developers and users.
  • FinWise Bank disclosed an insider breach impacting 689,000 American First Finance customers. A former employee accessed sensitive files after termination, exposing customer information.
  • KillSec ransomware group breached a major Brazilian healthcare software provider, stealing sensitive patient data and affecting a critical element of the healthcare technology supply chain.
  • Google confirmed that hackers created a fraudulent account in its Law Enforcement Request System (LERS), potentially enabling unauthorised access to sensitive law enforcement data requests.
  • The FBI’s IC3 issued a warning regarding threat actors UNC6040 and UNC6395 targeting Salesforce customers. These groups have conducted data theft and extortion campaigns against organisations using Salesforce, with the FBI sharing indicators of compromise (IoCs).
  • Panama’s Ministry of Economy and Finance (MEF) was affected by a cyber incident, as reported in recent threat intelligence bulletins.
  • Fairmont Federal Credit Union in West Virginia is notifying 187,000 people of a 2023 data breach that compromised personal, financial, and medical information.

Newly Discovered Vulnerabilities

  • Samsung patched a zero-day vulnerability affecting Android devices, which allowed remote code execution and was reportedly exploited by a spyware vendor. The flaw was reported by Meta and WhatsApp.
  • Academic researchers disclosed a new “Phoenix” Rowhammer attack variant that bypasses current DDR5 memory protection mechanisms from SK Hynix, allowing bit-flipping attacks despite existing mitigations.
  • Apple released iOS/iPadOS/macOS/watchOS/tvOS 26, addressing multiple security issues across its ecosystem.
  • Microsoft confirmed that the September 2025 Windows updates are causing connection issues to SMBv1 shares.
  • Microsoft has removed a safeguard hold for Windows 11 24H2 upgrades after resolving compatibility issues causing Bluetooth audio device malfunctions.

Notable Threat Actor Activity

  • Mustang Panda, a China-aligned threat group, was observed deploying an updated TONESHELL backdoor and a previously undocumented USB worm named SnakeDisk. The worm targets Thailand-based IPs and is used to deliver the Yokai backdoor.
  • Threat actors UNC6040 and UNC6395 continue to target Salesforce customers, conducting data theft and extortion campaigns.
  • Researchers demonstrated a “Lies-in-the-Loop” attack against Anthropic’s AI coding agent, tricking it into unsafe behaviour and enabling a potential supply chain attack.

Trends, Tools, or Tactics of Interest

  • Supply chain attacks continue to target open-source software repositories, as evidenced by the npm package compromise.
  • Increased focus on browser-based attacks, with reports highlighting a significant rise in attacks targeting users via web browsers.
  • AI integration protocols, specifically the Model Context Protocol (MCP), are being scrutinised for potential abuse in supply chain attacks, with proof-of-concept attacks demonstrating risks associated with insufficient validation of AI agent interactions.
  • Zero Trust security adoption remains inconsistent, with uneven implementation leaving organisations exposed despite its status as a security standard.
  • The use of USB worms for lateral movement and payload delivery, as seen with Mustang Panda’s SnakeDisk, indicates ongoing innovation in threat actor tactics.
  • “AI-powered” attacks and the security of AI agents are emerging as key areas of concern, including the manipulation of AI coding assistants.

Regulatory or Policy Developments Affecting the Security Industry

  • Microsoft Exchange Server 2016 and 2019 will reach end of extended support next month, with Microsoft providing guidance for decommissioning outdated servers.
  • Microsoft will begin automatically installing the Microsoft 365 Copilot app on Windows devices outside of the EEA region for users with Microsoft 365 desktop client apps, starting in October.
  • Google reportedly conducted a behind-the-scenes campaign against new California privacy legislation, though the legislation ultimately passed, potentially impacting privacy compliance requirements for tech companies operating in California.
  • CISA’s “Secure by Design” initiative is emphasising the need for resilient IT infrastructure and secure system design practices.