Daily Brief

Researchers identified multiple critical vulnerabilities in Chaos Mesh, posing a risk of full Kubernetes cluster takeover if exploited by attackers with minimal in-cluster access. The vulnerabilities, known as Chaotic Deputy, include CVE-2025-59359, CVE-2025-59360, CVE-2025-59361, and CVE-2025-59358, allowing remote code execution across clusters. Insufficient authentication in the Chaos Controller Manager's GraphQL server enables unauthenticated command execution on the Chaos Daemon. Exploitation could lead to data exfiltration, service disruption, and lateral movement within the cluster, escalating potential damage. Chaos Mesh addressed these vulnerabilities with the release of version 2.7.3 on August 21, following responsible disclosure in May 2025. Users are urged to update to the latest version promptly; if not feasible, restrict network traffic to the Chaos Mesh daemon and API server. Organizations should avoid deploying Chaos Mesh in open or poorly secured environments to mitigate risks.

A new supply chain attack on the npm platform has compromised 187 packages, with attackers embedding a self-propagating worm to steal sensitive information. The attack mirrors a previous campaign targeting Nx, with developers' credentials exposed on public GitHub pages, indicating a likely connection between the incidents. Attackers have enhanced their tactics, using a worm to automate the spread of malicious payloads, affecting packages from major entities like CrowdStrike. The malware scans for sensitive data such as AWS keys, cloud service credentials, and GitHub tokens, then exploits these to further infiltrate and compromise systems. Each compromised repository is labeled "Shai-Hulud," a reference to the Dune series, suggesting a deliberate thematic choice by the attackers. Affected npm packages include high-profile ones like @ctrl/tinycolor, with significant download volumes, amplifying the potential impact across numerous projects. Security experts recommend uninstalling compromised packages, pinning safe versions, rotating tokens, and monitoring logs to mitigate further risk. The number of affected packages is expected to rise, necessitating ongoing vigilance and swift response actions from developers and security teams.

The SlopAds operation involved 224 Android apps, achieving 38 million downloads across 228 countries, generating 2.3 billion daily ad bid requests at its peak. Utilizing steganography, the apps created hidden WebViews to navigate to threat actor-owned sites, producing fraudulent ad impressions and clicks. The apps only activated fraudulent behavior when downloaded via ad clicks, using a mobile marketing attribution SDK to determine download origin. Google's removal of the apps from the Play Store has disrupted the fraudulent operation, significantly reducing its impact. The campaign's sophistication included conditional fraud execution and obfuscation, complicating detection and blending malicious traffic with legitimate data. The FatModule, delivered through concealed PNG files, gathered device information and executed ad fraud, demonstrating advanced threat tactics. HUMAN researchers identified 300 domains associated with SlopAds, with links to a Tier-2 C2 server, revealing the operation's extensive infrastructure. The SlopAds case emphasizes the growing complexity of digital advertising threats, necessitating enhanced detection and prevention measures.

Organizations adopting team-wide VMware certification report improved security, innovation, and operational efficiency, creating a more collaborative and future-ready IT environment. Certified teams experience smoother rollouts, reduced errors, and faster incident response, enhancing overall business outcomes and security posture. VMware certifications cover essential infrastructure products like vSphere, NSX, and VMware Cloud Foundation, equipping teams to deploy securely and at scale. vSphere expertise is critical for virtualization and security, providing built-in tools and practices to strengthen infrastructure against threats. Certification is positioned as a strategic investment in leadership development, fostering confident and capable IT professionals who can build secure infrastructures. Offering VMware certification can be a key talent retention strategy, demonstrating organizational commitment to employee growth and development. VMUG Advantage facilitates affordable scaling of certifications across IT teams, offering group licensing and volume discounts to support widespread professional development.

Jaguar Land Rover (JLR) has prolonged its production shutdown by another week due to a cyberattack that disrupted operations in late August. The attack has significantly impacted JLR's operations, halting production and affecting approximately 39,000 employees worldwide. JLR confirmed data theft during the breach but has not attributed the attack to a specific cybercrime group. A cybercriminal group, "Scattered Lapsus$ Hunters," claims responsibility, alleging ransomware deployment and sharing internal system screenshots. The group is reportedly linked to other extortion entities like Scattered Spider, Lapsus$, and ShinyHunters, known for high-profile data thefts. JLR is conducting a forensic investigation and planning a controlled restart of its global operations, aiming to resume by September 24, 2025. The incident underscores the vulnerability of large enterprises to sophisticated cyber threats and the operational challenges in recovery.

A new campaign employs a variant of the FileFix tactic to distribute StealC malware via a multilingual phishing site mimicking Facebook Security pages. Attackers use advanced obfuscation and anti-analysis methods to evade detection, leveraging Bitbucket to host malicious components disguised as innocuous images. The attack initiates when victims click a phishing link, leading to a fake policy violation appeal process, resulting in the execution of a malicious PowerShell script. The FileFix method exploits a web browser's file upload feature, tricking users into executing commands locally, bypassing typical security measures. The campaign's infrastructure is meticulously crafted to enhance evasion and impact, showcasing significant investment in tradecraft by the adversaries. Doppel researchers identified similar campaigns using fake support portals and clipboard hijacking to deliver additional payloads, including TeamViewer and information stealers. The use of AutoHotkey scripts, originally for automation, has been weaponized since 2019 to create lightweight malware droppers, highlighting the evolving threat landscape.

Apple issued security updates for older iPhones and iPads to address a zero-day vulnerability exploited in sophisticated attacks, tracked as CVE-2025-43300. The flaw, found in the Image I/O framework, involves an out-of-bounds write that could lead to crashes, data corruption, or remote code execution. Devices running iOS 15.8.5 / 16.7.12 and iPadOS 15.8.5 / 16.7.12 received patches with improved bounds checks to mitigate this vulnerability. The zero-day was part of a complex attack chain, also involving a WhatsApp vulnerability, targeting specific individuals with advanced spyware. Amnesty International's Security Lab indicated that WhatsApp warned users of targeted attacks, though detailed information on the attack chain remains undisclosed. This patch is part of Apple's ongoing efforts, having addressed six zero-days exploited in 2025, enhancing device security across multiple platforms. Organizations should prioritize updating affected devices to mitigate potential risks associated with these vulnerabilities and protect sensitive data.

The FileFix attack masquerades as a Facebook security alert to distribute the StealC infostealer, evolving from a proof-of-concept to a global threat in under two months. Victims are tricked into executing the malware by copying and pasting commands into Windows, exploiting user trust in familiar interfaces like File Explorer. Researchers observed a 517% surge in these social-engineering attacks, now the second most common vector after phishing, indicating a growing threat landscape. Attackers use AI-generated images and BitBucket-hosted payloads to evade detection, embedding PowerShell scripts and encrypted executables within benign-looking files. The final payload, a Go-written loader, checks for virtual environments before deploying StealC, which targets browsers, cryptocurrency wallets, and various applications. The campaign's rapid evolution stresses the need for enhanced anti-phishing training, as traditional methods may not adequately address these sophisticated social-engineering tactics. The widespread geographical impact, with incidents reported across multiple countries, suggests a coordinated effort to exploit global user bases. Security teams are urged to update training programs and detection mechanisms to counteract the innovative techniques employed by such campaigns.

A new FileFix social engineering campaign impersonates Meta account warnings to trick users into installing StealC malware, evolving from the ClickFix family of attacks. The attack involves users pasting malicious PowerShell commands into File Explorer's address bar, disguised as file paths to an "incident report" from Meta. Acronis discovered the campaign's use of steganography to hide malicious scripts within a JPG image, hosted on Bitbucket, to bypass detection. The initial PowerShell command downloads the image, extracts and executes a secondary script, ultimately deploying the StealC infostealer malware. Multiple campaign variants were observed over two weeks, suggesting attackers are refining their techniques and testing infrastructure for future use. Organizations are advised to educate employees on the risks of copying data from websites into system dialogs, as these tactics remain relatively unfamiliar. The campaign's evolution highlights the importance of continuous adaptation in cybersecurity defenses to counter emerging social engineering threats.

Apple has issued backported fixes for CVE-2025-43300, an out-of-bounds write vulnerability in the ImageIO component, actively exploited in sophisticated spyware attacks. This vulnerability, with a CVSS score of 8.8, can lead to memory corruption when processing malicious image files, posing significant security risks. The flaw was part of a targeted attack chain with CVE-2025-55177, impacting less than 200 individuals via WhatsApp on iOS and macOS platforms. Apple initially addressed the issue with updates to iOS 18.6.2, iPadOS 18.6.2, and various macOS versions, and has now extended patches to older systems. The updates also cover additional security vulnerabilities across multiple Apple platforms, including iOS, iPadOS, macOS, tvOS, visionOS, watchOS, Safari, and Xcode. While no other flaws have been exploited in real-world attacks, maintaining up-to-date systems is crucial for optimal security and protection. This incident emphasizes the importance of timely patching and vigilance against potential exploitation in targeted cyber threats.

Jaguar Land Rover (JLR) extends its global production shutdown to nearly four weeks due to ongoing cyberattack remediation efforts, impacting operations in multiple countries. The cyber incident has caused significant disruption, with JLR's UK and international sites in China, India, and Slovakia all ceasing operations temporarily. Suppliers to JLR, including those in the West Midlands, France, and Germany, report temporary layoffs affecting around 6,000 jobs, exacerbating financial strain. The Unite trade union urges the UK government to implement a COVID-style furlough scheme to support workers affected by the supply chain disruptions. JLR faces estimated daily revenue losses between £5-10 million ($6-13 million), with potential total losses reaching £240 million ($327 million) since the shutdown began. The attack, claimed by Scattered Lapsus$ Hunters, follows similar incidents targeting major retailers, raising concerns about the group's ongoing threat to the industry. JLR's incident response includes a forensic investigation and a phased approach to resuming global operations, though recovery timelines remain uncertain.

A webinar hosted by BleepingComputer and SC Media will address the critical security challenges posed by modern web browsers, now a major attack vector for identity and session threats. Browser security experts from Push Security will discuss how attackers exploit browsers to compromise accounts, steal data, and bypass traditional security measures. The session will highlight threats such as malicious extensions, session token theft, OAuth abuse, and emerging dangers like ClickFix and FileFix attacks. Push Security offers a real-time detection and response platform specifically designed to address browser-based identity attacks, providing vital visibility and control. The increasing complexity of browser functions, from authentication to SaaS data handling, has attracted cybercriminals, necessitating advanced security strategies. Traditional endpoint and identity tools often fail to detect these sophisticated browser threats, creating significant vulnerabilities in enterprise defenses. The webinar aims to equip security teams with actionable insights and strategies to mitigate risks and secure the modern web edge effectively.

Astrix introduces the AI Agent Control Plane (ACP) to secure AI agents, addressing risks from autonomous operations and unauthorized system access within enterprises. Recent studies indicate 80% of companies have faced unintended AI agent actions, causing unauthorized access and data leaks, highlighting the need for specialized security solutions. Traditional Identity and Access Management (IAM) systems struggle with AI agents due to their speed and reliance on non-human identities, necessitating new security approaches. ACP provides AI agents with short-lived, precisely scoped credentials and just-in-time access, adhering to least privilege principles to mitigate access chaos and compliance risks. The Discover–Secure–Deploy framework within ACP offers comprehensive visibility and security guardrails, enabling safe deployment of AI agents at scale. By implementing ACP, organizations can fully leverage AI agents' capabilities without introducing uncontrolled risks, enhancing operational efficiency and security. Astrix's solution addresses the growing blind spot of AI agents and non-human identities, which significantly outnumber employees and evade traditional IAM systems.

Researchers from ETH Zürich and Google unveiled a new RowHammer attack variant, named Phoenix, targeting DDR5 memory chips from SK Hynix, bypassing advanced protection mechanisms. The Phoenix attack exploits a hardware vulnerability in DRAM chips, causing bit flips in adjacent rows, potentially leading to unauthorized data access or privilege escalation. Despite advanced defenses like Error Correction Code (ECC) and Target Row Refresh (TRR), the attack achieves privilege escalation on DDR5 systems in just 109 seconds. The vulnerability affects all 15 DDR5 memory chips tested, produced between 2021 and 2024, allowing attackers to target RSA-2048 keys and escalate privileges to root. Researchers advise increasing the refresh rate to 3x to prevent the Phoenix attack from triggering bit flips on affected systems. The findings highlight ongoing challenges in DRAM security, as newer chips become more susceptible to RowHammer due to density scaling and reduced activation requirements. The disclosure follows recent reports of other RowHammer attacks, including OneFlip and ECC.fail, which target different DRAM configurations and protections.

From November 1, China's Cyberspace Administration mandates network operators report serious cyber incidents within one hour, with penalties for non-compliance. The new regulations apply to any entity managing or providing network services, covering a broad spectrum of operators. Particularly major incidents, such as data breaches affecting over 100 million citizens or significant economic losses, require reporting within 30 minutes. Initial reports must include comprehensive details such as systems affected, attack timeline, damage assessment, and potential future harm. Failure to report promptly or accurately can lead to severe penalties for both network operators and responsible individuals. The rapid reporting requirement aims to enhance real-time monitoring capabilities and necessitates investment in compliance and response teams. This move follows recent penalties against companies like Dior for data mishandling, signaling China's stringent approach to cybersecurity governance.