Major Incidents or Breaches

  • Boyd Gaming Corporation disclosed a data breach following a cyberattack, resulting in the theft of employee and customer data.
  • Jaguar Land Rover extended its production shutdown due to a cyberattack, with operations paused until at least October 1 as investigations continue.
  • The American Archive of Public Broadcasting exposed restricted and copyrighted media for years due to inadequate access controls, allowing unauthorised downloads.
  • CISA reported that attackers breached a US federal agency’s network by exploiting an unpatched GeoServer instance.
  • The US Secret Service dismantled a major telecom threat in New York, seizing over 300 servers and 100,000 SIM cards used to threaten US officials and potentially disrupt critical infrastructure near the UN.
  • Eurojust coordinated the arrest of five suspects in a cryptocurrency investment fraud scheme, responsible for over €100 million in losses across 23 countries.
  • Fake versions of Malwarebytes, LastPass, and other software are being distributed via GitHub pages in a campaign targeting Mac users.
  • Scammers are impersonating the FBI using fake IC3 websites to steal personal data.

Newly Discovered Vulnerabilities

  • Pandoc (CVE-2025-51591): Actively exploited security flaw in Linux utility Pandoc allowed attackers to target AWS Instance Metadata Service (IMDS) and steal EC2 IAM credentials.
  • Libraesva Email Security Gateway (CVE-2025-59689): Command injection vulnerability exploited by state-sponsored actors, triggered via malicious emails with crafted compressed attachments. Emergency fix released.
  • Supermicro BMC Firmware: Two new vulnerabilities allow attackers to bypass root of trust security, enabling malicious firmware installation. Previous patches have been bypassed.
  • SolarWinds Web Help Desk (CVE-2025-26399): Critical unauthenticated remote code execution vulnerability. Multiple patch attempts have been made due to previous bypasses.
  • Microsoft Entra: Research revealed all tenants were exposed to silent compromise via invisible actor tokens.
  • NPM package ‘fezbox’: Newly discovered package uses QR codes to deliver second-stage, cookie-stealing malware.
  • SonicWall SMA 100: Firmware update released to remove rootkit malware deployed in recent attacks.

Notable Threat Actor Activity

  • State-sponsored actors exploited the Libraesva Email Security Gateway vulnerability in the wild.
  • ShadowV2 botnet operators are exploiting misconfigured AWS Docker containers to build a DDoS-for-hire platform, enabling customers to self-manage attacks.
  • Chinese-speaking threat actors are conducting SEO poisoning campaigns using BadIIS malware, redirecting traffic and planting web shells on compromised servers.
  • Scattered Spider: A juvenile suspect associated with this group was arrested in the US on charges of computer intrusion, extortion, and identity theft.
  • Attackers abused Google’s AppSheet platform to send phishing emails.
  • Large-scale campaign distributing fake software (Malwarebytes, LastPass, etc.) via GitHub targets Mac users.

Trends, Tools, or Tactics of Interest

  • DDoS Attacks: Cloudflare mitigated a record-breaking DDoS attack peaking at 22.2 Tbps and 10.6 billion packets per second. ShadowV2 and other botnets are leveraging exposed cloud-native tools (Docker containers) to evade detection and facilitate for-hire DDoS services.
  • Supply Chain Attacks: Surge in attacks targeting the npm ecosystem, including malicious packages and weak authentication mechanisms.
  • Ransomware: Despite rising incident counts in 2025, ransomware payments dropped 35% in 2024, indicating changes in RaaS economics.
  • Phishing: Abuse of legitimate platforms (Google AppSheet) for phishing campaigns continues.
  • SEO Poisoning: Increased use of SEO poisoning by threat actors to distribute malware and gain financial benefits.
  • Identity Governance: New free tools are emerging to streamline identity governance, onboarding, and access reviews for small organisations.
  • AI Security: New research highlights the top 25 vulnerabilities in Model Context Protocols, with risks including prompt injection and command injection targeting AI agents.

Regulatory or Policy Developments

  • GitHub announced mandatory two-factor authentication and short-lived access tokens for npm publishing, aiming to strengthen supply chain security following recent attacks.
  • European law enforcement, coordinated by Eurojust, continues cross-border efforts against large-scale cryptocurrency fraud.
  • CISA announced Steve Casapulla as Executive Assistant Director for Infrastructure Security.
  • Reports highlight ongoing concerns about the Japanese government’s cybersecurity posture, with incident counts nearly doubling and a significant proportion of critical systems unmanaged.
  • New revelations show the US Department of Homeland Security collected DNA from nearly 2,000 US citizens, raising oversight and legality concerns.