Major Incidents or Breaches

  • Nearly 30 organizations, including Logitech, The Washington Post, Cox Enterprises, Pan American Silver, LKQ Corporation, and Copeland, have been named as alleged victims of an Oracle E-Business Suite (EBS) hack on the Cl0p ransomware leak site.
  • The US Congressional Budget Office (CBO) confirmed a data breach.
  • Many Forbes AI 50 companies were found to have leaked sensitive secrets, including training data and private models, on public GitHub repositories.

Newly Discovered Vulnerabilities

  • A critical vulnerability in the expr-eval JavaScript library, used in over 800,000 weekly NPM downloads, allows remote code execution via malicious input.
  • Three vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) have been patched; these could be exploited to escape container environments.
  • Multiple vulnerabilities in QNAP devices, demonstrated at Pwn2Own Ireland, have been patched. These flaws could allow remote code execution, information disclosure, and denial-of-service.
  • A critical, now-patched flaw in Gladinet’s Triofox file-sharing and remote access platform was exploited to install remote access tools via its antivirus feature.
  • CISA has ordered US federal agencies to patch a critical Samsung zero-day vulnerability exploited in spyware attacks deploying LandFall spyware on WhatsApp-enabled devices.

Notable Threat Actor Activity

  • The Quantum Route Redirect phishing-as-a-service (PhaaS) platform is being used in a large-scale, automated campaign targeting Microsoft 365 users globally, utilising around 1,000 domains to steal credentials.
  • The North Korea-linked Konni (APT37) threat actor is abusing Google’s Find Hub tool in new attacks to track GPS positions and trigger remote data wipes on Android devices, as well as targeting Windows systems.
  • GlassWorm malware has resurfaced, infecting three additional Visual Studio Code extensions and spreading via both the Open VSX marketplace and GitHub repositories, targeting developer environments.
  • The ClickFix phishing campaign is targeting the hospitality sector, using infostealer and RAT malware to compromise hotel managers and subsequently launch phishing attacks against customers via email and WhatsApp.
  • A Russian national has pleaded guilty to acting as an initial access broker for Yanluowang ransomware, which targeted at least eight US companies between July 2021 and November 2022.
  • Fantasy Hub, a spyware-for-rent platform, is distributing RATs via fake Android apps capable of stealing logins, PINs, and messages with only SMS permissions.

Trends, Tools, or Tactics of Interest

  • Attackers are increasingly leveraging LinkedIn for phishing campaigns, aiming at executives and exploiting the platform to bypass traditional email security.
  • Malware is being concealed within virtual machines (e.g., Hyper-V), and there is a noted increase in side-channel attacks targeting AI chat data, as well as spyware campaigns against Android devices.
  • Scanning activity has been observed targeting “FTP_3cx” usernames, potentially indicating attempts to exploit business phone system software.
  • The Browser Security Report 2025 highlights that identity, SaaS, and AI-related risks are converging at the browser level, while traditional controls may not adequately address these threats.
  • Mozilla Firefox 145 has introduced new anti-fingerprinting defenses to enhance user privacy.
  • OWASP’s revised Top 10 list for web application risks now includes two new categories, with supply chain risks and security misconfiguration ranking highly.

Regulatory or Policy Developments

  • Australia has imposed sanctions on individuals and entities accused of supporting North Korea’s weapons programme, mirroring recent US actions.
  • CISA has mandated US federal agencies to patch a Samsung zero-day exploited in spyware campaigns.