Ticker feed

Cybercriminals are using a clever new approach called "Beamglea" to phish credentials from industrial and electronics companies. Instead of injecting malicious code into NPM packages, they're abusing the legitimate unpkg.com CDN service to host phishing pages.

The attackers created 175 fake packages with names like "redirect-[random6chars]" that redirect victims to credential-stealing sites. They've targeted over 135 organizations including ArcelorMittal, D-Link, and ThyssenKrupp Nucera, generating 630+ HTML files disguised as purchase orders and technical documents.

Using automated Python tools, hackers customize attacks for each victim, pre-filling email addresses to make phishing pages appear legitimate. The campaign has accumulated 26,000 downloads, though many come from security researchers analyzing the threat.

Source: Security Week

AT&T is settling two massive data breaches for $177 million after hackers exposed personal information of over 170 million customers. The first breach in 2019 leaked Social Security numbers, birth dates, and names of 73 million people, while a 2024 hack accessed phone records of 109 million customers through AT&T's cloud provider Snowflake.

Customers affected by the 2019 breach can claim up to $5,000 with documented losses, or receive tiered payments based on whether their SSN was compromised. Those hit by the 2024 breach can get up to $2,500 with proof of losses, or share the remaining settlement funds equally.

The deadline to file claims is November 18, 2025. Customers affected by both breaches can file separate claims for each incident.

Source: CNET

Security researchers at InfoGuard Labs discovered serious vulnerabilities in Microsoft Defender for Endpoint that allow attackers to bypass authentication and manipulate security responses. The flaws let hackers intercept commands between Defender agents and Microsoft's cloud services using easily obtainable machine and tenant IDs from the Windows registry.

Attackers can spoof isolation commands, making infected devices appear secured in Microsoft's portal while remaining compromised. They can also upload malicious files to investigation packages, potentially tricking security analysts into executing malware during incident reviews.

Reported to Microsoft in July 2025, the company classified these as low-severity issues with no confirmed fixes as of October 2025, despite researchers arguing they pose significant post-breach risks.

Source: Cybersecurity News

Hackers have released personal data from 5 million Qantas customers on the dark web after the airline refused to pay ransom demands. The cybercriminal group Scattered Lapsus$ Hunters leaked email addresses, phone numbers, birth dates, and frequent flyer numbers stolen from a Salesforce database in June.

The breach affects 44 companies globally, including Gap, Toyota, Disney, McDonald's, and Adidas, with up to 1 billion customer records compromised. While no credit card or passport details were included in the Qantas leak, experts warn criminals could use the information for identity theft and personalized phishing scams.

Qantas has established a 24/7 support line for affected customers and implemented additional security measures since the attack.

Source: The Guardian

Chinese threat group Storm-2603 has weaponized Velociraptor, a legitimate digital forensics tool, to launch stealthy ransomware attacks. Cisco Talos researchers discovered the group using this open-source incident response tool to deploy multiple ransomware variants—Warlock, LockBit, and Babuk—on VMware ESXi servers in August.

The hackers exploited an outdated version of Velociraptor with a privilege escalation vulnerability, allowing them to maintain persistent access while avoiding detection. This marks a concerning shift where cybercriminals repurpose security tools designed to protect organizations.

Sophos researchers first documented similar attacks in August, noting threat actors used Velociraptor to establish command-and-control communications. Security teams should audit their Velociraptor installations and monitor for unauthorized binaries to prevent this tool from being turned against them.

Source: Dark Reading

The Georgia Department of Human Services is notifying residents that their personal information may have been exposed after hackers gained unauthorized access to employee email accounts. The Georgia Technology Authority discovered the breach at their email services provider, which hosts DHS accounts containing confidential data.

While there's no evidence that information was actually viewed or misused, potentially exposed data includes names, Social Security numbers, driver's license numbers, medical details, and financial account information. DHS has secured the compromised accounts and launched an investigation.

The agency is mailing notifications to affected individuals and recommends monitoring credit reports and considering fraud alerts with major credit bureaus as a precaution.

Source: CBS News Atlanta

GreyNoise has uncovered a coordinated campaign targeting Cisco, Fortinet, and Palo Alto Networks devices, with attackers using IPs from the same subnets. The firm detected scanning attempts against Cisco ASA devices in September, weeks before two zero-day vulnerabilities were disclosed. These bugs, scoring up to 9.9 on the CVSS scale, were linked to China-based hackers in the ArcaneDoor espionage campaign.

Scanning activity against Palo Alto Networks firewalls spiked 500% over two days, involving 2,200 unique IPs and generating over 1.3 million login attempts. GreyNoise warns that similar spikes typically precede vulnerability disclosures within six weeks, with roughly 80% accuracy for major firewall and VPN vendors.

Source: Security Week

Hackers breached Discord through a third-party customer service provider, stealing government ID photos from approximately 70,000 users who submitted them for age verification appeals. The attackers reportedly grabbed 1.5 terabytes of data and are demanding ransom money from Discord.

The stolen information includes names, usernames, email addresses, messages to customer support, and limited billing details like the last four digits of credit cards. However, passwords and full payment information weren't compromised.

Discord immediately cut off the vendor's access and contacted law enforcement. The company is notifying affected users via email from noreply@discord.com. Some frustrated users report Discord never processed their age appeals before the breach occurred.

Source: CNET

SonicWall confirmed Wednesday that attackers successfully breached its cloud backup service through a brute-force attack, accessing firewall configuration files from every customer who used the platform. The company initially downplayed the breach's scope, claiming less than 5% of customers were affected, but later admitted all cloud backup users were compromised.

The stolen data includes firewall rules, encrypted passwords, and network configurations—essentially a roadmap for future attacks. Security experts criticized SonicWall for lacking basic protections like rate limiting on public APIs.

This marks another blow for SonicWall customers, who've faced years of actively exploited vulnerabilities, including recent Akira ransomware campaigns. The company has notified affected customers and released detection tools.

Source: CyberScoop

A Vietnam-based cyber group called BatShadow is targeting job seekers and digital marketing professionals with malicious emails containing "Vampire Bot" malware. The sophisticated surveillance tool, written in Go, continuously captures screenshots and steals sensitive data from infected computers.

The attack works through zip files containing fake PDFs and hidden malicious executables. When victims open these files, PowerShell scripts quietly install the malware while displaying a decoy document. Vampire Bot then harvests system information, maintains persistence by hiding in core folders, and sends encrypted data to command servers.

Researchers at Aryaka Threat Research Labs say the campaign exploits job seekers' willingness to open career-related emails, making them prime targets for cybercriminals seeking extended system access.

Source: Dark Reading