Daily Brief

A recent supply chain attack targeted the npm registry, affecting over 40 packages maintained by various developers, aiming to steal sensitive credentials from developers' machines. The attack leverages a function to inject malicious JavaScript code, "bundle.js," into packages, which downloads and runs TruffleHog to scan for secrets like GitHub and AWS credentials. Both Windows and Linux systems are vulnerable, with the script exploiting GitHub personal access tokens to create workflows that exfiltrate data to an external server. Developers are advised to audit their environments, rotate exposed tokens, and remove compromised packages to mitigate potential damage. The Rust Security Response Working Group has also identified a phishing campaign targeting crates.io users, using a typosquatted domain to steal GitHub credentials. The phishing emails falsely claim a compromise of crates.io infrastructure, directing users to a fake GitHub login page to capture credentials. Rust's security team is actively monitoring for suspicious activities and working to disable the malicious domain to protect users.

Google confirmed a fraudulent account was created in its Law Enforcement Request System (LERS), used for official data requests, though no data was accessed. The threat actors, known as "Scattered Lapsus$ Hunters," claimed access to both Google's LERS and the FBI's eCheck system, raising significant security concerns. The group, linked to Shiny Hunters, Scattered Spider, and Lapsus$, has been involved in extensive data theft, targeting high-profile companies like Google and Salesforce. Attackers initially used social engineering to exploit Salesforce's Data Loader tool, leading to data theft and extortion of multiple corporations. Further breaches involved accessing Salesloft's GitHub repository, using Trufflehog to find authentication tokens, and conducting additional data theft attacks. Companies impacted by these attacks include major brands such as Adidas, Cisco, and Louis Vuitton, among others. Despite claims of going dark, cybersecurity experts suspect the group will continue its activities discreetly, posing ongoing threats to corporate and governmental entities.

Google confirmed a fraudulent account was created in its Law Enforcement Request System (LERS), used for official data requests, but no data was accessed or requests made. The group "Scattered Lapsus$ Hunters" claimed access to Google's LERS and the FBI's eCheck system, raising concerns about potential impersonation of law enforcement. This group, linked to Shiny Hunters and Lapsus$, has been involved in extensive data theft attacks, notably targeting Salesforce data through social engineering. Their tactics included breaching Salesloft's GitHub repository to extract secrets, enabling further data theft from companies like Google, Cisco, and Qantas. Google Threat Intelligence (Mandiant) has been actively countering these threat actors, initially disclosing their attacks and advising companies to enhance security measures. Despite claims of going silent, cybersecurity experts suspect the group will persist with covert operations, posing ongoing risks to both corporate and governmental entities.

A recent SonicWall breach involved attackers bypassing multi-factor authentication by exploiting recovery codes stored in plaintext on an engineer's desktop. The attackers deployed Akira ransomware, disabled endpoint security tools, and stole credentials to impersonate privileged users within the compromised networks. Huntress, a managed security service provider, identified the breach when suspicious activity was detected in a customer's environment, prompting an investigation. Attackers accessed the Huntress portal using compromised credentials, resolved incident reports, and de-isolated hosts, complicating detection and response efforts. The incident underscores the critical need for encrypting sensitive information and employing robust password management practices to prevent similar breaches. Huntress analysts recommend using encrypted password managers and regularly rotating recovery codes to enhance security posture. The breach highlights the importance of monitoring internal activity logs for unusual behavior, even if it appears to originate from legitimate accounts.

Mustang Panda, a China-aligned threat actor, has been deploying SnakeDisk, a new USB worm, to target devices with Thailand-based IP addresses, dropping the Yokai backdoor. IBM X-Force researchers identified this activity under the cluster name Hive0154, which is associated with several aliases, including Bronze President and RedDelta. The attack chain involves spear-phishing emails that deliver malware like TONESHELL, which downloads further payloads on compromised systems. SnakeDisk uses DLL side-loading to propagate via USB devices, tricking users into executing malicious payloads by disguising it as a USB device file. The Yokai backdoor, delivered by SnakeDisk, establishes a reverse shell for executing arbitrary commands, indicating a focus on Thai targets. TONESHELL variants, TONESHELL8 and TONESHELL9, include features to evade detection, such as junk code from OpenAI's ChatGPT, and support proxy-based C2 communication. Mustang Panda's continued evolution and targeting of Thailand suggest a strategic focus, with implications for regional cybersecurity defenses and threat monitoring.

FinWise Bank reported a data breach involving unauthorized access by a former employee, impacting 689,000 American First Finance customers. The breach involved sensitive customer information, including full names and other personal data, though specific details on the data types remain undisclosed. The incident occurred after the employee's termination, raising concerns about internal security measures and access controls. FinWise has initiated an investigation with external cybersecurity experts to determine the breach's scope and prevent future incidents. In response, the bank has enhanced internal controls and is offering affected individuals 12 months of free credit monitoring and identity theft protection. The breach has led to several class-action lawsuits, highlighting the legal and reputational risks associated with data security lapses. FinWise's recent SEC filing confirms the breach's impact, aligning with figures reported by American First Finance.

Researchers from ETH Zurich and Google have developed the Phoenix attack, a new Rowhammer variant, bypassing DDR5 memory protections from SK Hynix. The Phoenix attack exploits vulnerabilities in DDR5 memory chips, allowing attackers to flip bits and potentially escalate privileges or execute malicious code. By reverse-engineering Hynix's protections, researchers identified gaps in the Target Row Refresh (TRR) mechanism, enabling the Phoenix attack to succeed. Tests revealed that all 15 DDR5 memory chips tested were vulnerable, with attackers gaining root privileges in under two minutes on a standard system. The attack method was effective against page-table entries and RSA-2048 keys, with significant exposure across tested DIMMs, affecting 73% and 33% respectively. Phoenix is tracked as CVE-2025-6202, affecting DIMM RAM modules produced from January 2021 to December 2024, with a high-severity score. Mitigation involves tripling the DRAM refresh interval, though this may lead to system instability and data corruption. The research, including proof-of-concept exploits, will be presented at the IEEE Symposium on Security and Privacy, offering insights into future DDR5 security measures.

Microsoft announced that Exchange Server 2016 and 2019 will reach end of support on October 14, 2025, urging administrators to upgrade promptly to avoid security risks. After the support ends, Microsoft will no longer provide technical support, bug fixes, or security updates, leaving systems vulnerable to potential breaches. Administrators are advised to migrate to Exchange Online or upgrade to Exchange Server Subscription Edition (SE) to maintain security and support. Microsoft offers an in-place upgrade path from Exchange Server 2019 to SE, simplifying the transition process for current users. Organizations still using Exchange 2013 or older versions must first remove these before upgrading to newer supported versions. Detailed migration guidance is available on Microsoft's documentation site to assist global administrators in choosing the best path forward. Failure to upgrade could expose organizations to increased security vulnerabilities, impacting operational stability and data integrity.

Organizations face challenges in managing access rights due to the scale and complexity of IT systems, leading to potential security risks. Manual processes for access management are insufficient, resulting in privilege creep and increasing the attack surface for cyber threats. Abandoned accounts and outdated privileges are exploited by attackers, posing significant risks of data breaches and insider threats. Automated Identity Governance and Administration (IGA) platforms offer a solution by ensuring access rights are aligned with user roles. IGA platforms provide centralized governance, enhancing visibility and security while reducing administrative burdens. Modern IGA solutions prioritize ease of integration and quick deployment, making them accessible to organizations of various sizes. The demand for effective access control is driven by growing cyber threats and regulatory requirements, necessitating robust governance solutions.

SecAlerts introduces a streamlined service delivering real-time vulnerability alerts, addressing the challenge of tracking numerous software vulnerabilities across business systems. Traditional vulnerability management tools are often costly and complex, posing barriers for businesses with limited security budgets or teams. SecAlerts bypasses delays associated with the National Vulnerability Database (NVD) by utilizing over 100 sources, including vendors and researchers, for timely alerts. The service offers customizable filters, allowing businesses to focus on critical vulnerabilities relevant to their specific software and operational needs. SecAlerts' dashboard features Stacks, Channels, and Alerts, providing a user-friendly interface for managing vulnerability information across different departments. The service is widely adopted across various sectors, including universities, government agencies, and banks, enhancing their cybersecurity posture and response times. A free 30-day trial and promotional discount encourage businesses to integrate SecAlerts into their cybersecurity strategies, offering an affordable solution to vulnerability management challenges.

FinWise Bank reported a data breach involving a former employee accessing nearly 700,000 customer records, including data from American First Finance. The breach occurred on May 31, 2024, but remained undetected until June 18, 2024, highlighting a significant delay in incident detection. Details on the specific data types involved were withheld, and neither FinWise nor AFF provided additional public statements on the breach. Upon discovery, FinWise engaged external cybersecurity experts to assess the breach and determine the extent of data access by the former employee. Affected individuals have been offered 12 months of free credit monitoring and identity theft protection as a precautionary measure. The incident underscores the ongoing threat of malicious insiders, paralleling recent breaches at other companies like Coinbase and Rippling. Experts emphasize the need for organizations to enhance internal security culture and trust to mitigate insider risks effectively.

North Korea's Kimsuky group leveraged ChatGPT to create a counterfeit South Korean military ID, targeting a defense-related institution in a spear-phishing campaign. The attack involved deepfake technology, using publicly available headshots to generate a fake military employee card, circumventing OpenAI's restrictions. The hackers employed prompt-engineering tactics to bypass ChatGPT's safeguards, framing requests as legitimate mock-ups to produce the fake ID. The deepfake ID was distributed via emails posing as official correspondence about military ID issuance, aimed at a South Korean defense entity. This incident signals a tactical shift for Kimsuky, moving from traditional phishing methods to advanced AI-driven forgeries in their espionage efforts. OpenAI has previously taken steps to counteract state-backed misuse of its models, including shutting down accounts linked to North Korean operations. The use of AI in crafting counterfeit IDs presents new challenges for cybersecurity, emphasizing the need for enhanced vigilance and adaptive defenses.

Cybersecurity experts report a surge in browser-based attacks targeting business applications and data, exploiting third-party services as entry points for unauthorized access. Attackers are increasingly using phishing techniques, including advanced MFA-bypassing kits, to compromise user credentials and sessions through various digital communication channels. New attack methods like ClickFix trick users into executing malicious commands, often delivering infostealer malware by exploiting browser-based verification challenges. Malicious OAuth integrations and browser extensions pose significant risks by bypassing traditional authentication controls and capturing sensitive login information. The widespread use of decentralized internet applications has expanded the attack surface, making it challenging for security teams to monitor and protect against these threats. Security teams are urged to implement comprehensive detection and response strategies focused on browser activity to mitigate risks and safeguard business operations. Push Security offers a browser-based security platform designed to detect and block these evolving threats, providing organizations with tools to address vulnerabilities and enhance security posture.

China's State Administration for Market Regulation (SAMR) has initiated a formal antitrust investigation into Nvidia, citing violations of the country's competition laws. The probe follows a preliminary finding that Nvidia breached conditions tied to its $6.9 billion acquisition of Mellanox Technologies in 2020. Conditions were originally set to prevent Nvidia from leveraging its acquisition to disadvantage Chinese competitors and to ensure interoperability with other vendors. Potential outcomes of the investigation include significant fines and new operational restrictions on Nvidia's sales within China. Nvidia's stock experienced a 2 percent decline in pre-market trading following the announcement of the investigation. This development adds to Nvidia's challenges in China, a critical market representing approximately 13 percent of its global revenue. Earlier this year, Nvidia faced scrutiny from Beijing over security concerns related to its H20 AI accelerators, amid tightened U.S. export controls.

A new variant of the Petya/NotPetya malware, named HybridPetya, has been identified, posing a threat to UEFI Secure Boot systems. HybridPetya can compromise the secure boot feature of the Unified Extensible Firmware Interface (UEFI) by installing a malicious application. Bootkits like HybridPetya are particularly dangerous as they can evade antivirus detection and persist through operating system reinstalls. ESET discovered HybridPetya samples on Google's VirusTotal in February 2025, indicating the malware's potential readiness for deployment. Organizations must prioritize securing UEFI systems and consider enhanced detection capabilities to mitigate this emerging threat. The development of HybridPetya underscores the evolving sophistication of ransomware, necessitating proactive defense strategies. Security teams should remain vigilant and update incident response plans to address potential bootkit-related compromises.