Article Details

⚡ Weekly Recap: Hot CVEs, npm Worm Returns, Firefox RCE, M365 Email Raid & More. Hackers aren't kicking down the door anymore. They just use the same tools we use every day — code packages, cloud accounts, email, chat, phones, and "trusted" partners — and turn them against us. One bad download can leak your keys. One weak vendor can expose many customers at once. One guest invite, one link on a phone, one bug in a common tool, and suddenly your mail, chats, repos, and servers are in play. Every story below is a reminder that your "safe" tools might be the real weak spot. ⚡ Threat of the Week Shai-Hulud Returns with More Aggression — The npm registry was targeted a second time by a self-replicating worm that went by the moniker "Sha1-Hulud: The Second Coming," affecting over 800 packages and 27,000 GitHub repositories. Like in the previous iteration, the main objective was to steal sensitive data like API keys, cloud credentials, and npm and GitHub authentication information, and facilitate deeper supply chain compromise in a worm-like fashion. The malware also created GitHub Actions workflows that allow for command-and-control (C2) and injected GitHub Actions workflow mechanisms to steal repository secrets. Additionally, the malware backdoored every npm package maintained by the victim, republishing them with malicious payloads that run during package installation. "Rather than relying solely on Node.js, which is more heavily monitored, the malware dynamically installs Bun during package installation, benefiting from its high performance and self-contained architecture to execute large payloads with improved stealth," Endor Labs said. "This shift likely helps the malware evade traditional defenses tuned specifically to observe Node.js behavior." GitGuardian's analysis revealed a total of 294,842 secret occurrences, which correspond to 33,185 unique secrets. Of these, 3,760 were valid as of November 27, 2025. These included GitHub access tokens, Slack webhook URLs, GitHub OAuth tokens, AWS IAM keys, OpenAI Project API keys, Slack bot tokens, Claude API keys, Google API Keys, and GitLab tokens. Trigger.dev, which had one of its engineers installing a compromised package on their development machine, said the incident led to credential theft and unauthorized access to its GitHub organization. The Python Package Index (PyPI) repository said it was not impacted by the supply chain incident. [Report] Securing Privileged Access: The Key to Modern Enterprise Defense On-prem PAM no longer cuts it. 55% of IT leaders say cloud-native PAM is now essential. Modern teams demand secure credential storage, seamless integration and real-time visibility everywhere. Download Keeper's PAM Report for key insights from 4,000 IT and security leaders. 🔔 Top News ‎️‍🔥 Trending CVEs Hackers act fast. They can use new bugs within hours. One missed update can cause a big breach. Here are this week's most serious security flaws. Check them, fix what matters first, and stay protected. This week's list includes — CVE-2025-12972, CVE-2025-12970, CVE-2025-12978, CVE-2025-12977, CVE-2025-12969 (Fluent Bit), CVE-2025-13207, CVE-2024-24481 (Tenda), CVE-2025-62164 (vLLM), CVE-2025-12816 (Forge), CVE-2025-59373 (ASUS MyASUS), CVE-2025-59366 (ASUS routers) CVE-2025-65998 (Apache Syncope), CVE-2025-13357 (HashiCorp Vault Terraform Provider), CVE-2025-33183, CVE-2025-33184 (NVIDIA Isaac-GR00T), CVE-2025-33187 (NVIDIA DGX Spark), CVE-2025-12571, CVE-2024-9183 (GitLab CE/EE), CVE-2025-66035 (Angular HttpClient), and an unauthenticated DoS vulnerability in Next.js (no CVE). 📰 Around the Cyber World 🎥 Cybersecurity Webinars 🔧 Cybersecurity Tools Disclaimer: These tools are for learning and research only. They haven't been fully tested for security. If used the wrong way, they could cause harm. Check the code first, test only in safe places, and follow all rules and laws. Conclusion If there's one theme this week, it's this: nobody is "too small" or "too boring" to be a target anymore. The weak link is usually something simple — a package no one checked, a vendor no one questioned, a "temporary" token that never got revoked, a guest account nobody owns. Attackers love that stuff because it works. So don't just close this tab and move on. Pick one thing from this recap you can act on today — rotate a set of keys, tighten access for one vendor, review guest accounts, lock down an update path, or fix one high-risk bug. Then share this with the people who can break things and fix things with you. The gap between "we should do this" and "we actually did" is where most breaches live.