Ticker feed

Attackers compromised 18 popular npm packages with over 2.6 billion weekly downloads through a simple phishing email targeting a maintainer. The breach began when the maintainer clicked a fake npm support email requesting two-factor authentication updates, giving attackers access to publish malicious versions of packages like chalk and debug.

The malware targeted cryptocurrency transactions by hijacking browser APIs and wallet interfaces. While detected within minutes and causing minimal financial damage (around $20 in stolen crypto), the incident exposed millions of developers to compromised code.

Experts warn against dismissing this as low-impact, emphasizing that the real cost lies in cleanup efforts and the fragility of open-source infrastructure that powers modern software development.

Source: CyberScoop

The FBI is warning about two threat groups targeting Salesforce customers through sophisticated social engineering attacks. UNC6040 (also known as ShinyHunters) has been calling company help desks since October 2024, posing as IT support to trick employees into sharing login credentials or installing malicious apps that steal customer data.

UNC6395 previously exploited stolen OAuth tokens from Salesloft's Drift application to access hundreds of Salesforce environments earlier this year. Salesforce and Salesloft revoked all Drift tokens in August, but the threat remains active through other integrations.

Some victims have received extortion emails demanding cryptocurrency payments to prevent data publication. The FBI recommends training call center staff, implementing phishing-resistant multi-factor authentication, and monitoring network activity to defend against these ongoing campaigns.

Source: Dark Reading

Cybercriminals calling themselves Shiny Hunters have stolen personal data from potentially 7.4 million customers of luxury brands Gucci, Balenciaga, and Alexander McQueen. The April breach exposed names, email addresses, phone numbers, home addresses, and total spending amounts—with some customers having spent $30,000-$86,000 at these stores.

Parent company Kering confirmed the attack but says no financial information like credit card details were compromised. The hackers demanded a Bitcoin ransom in June, which Kering refused to pay following law enforcement advice.

The spending data is particularly concerning as it could make high-value customers targets for future scams. This attack was part of a broader wave hitting luxury brands including Cartier and Louis Vuitton.

Source: BBC

Two critical vulnerabilities have been discovered in Linux's Common Unix Printing System (CUPS), affecting virtually all Linux distributions. CVE-2025-58364 allows attackers to crash printing services through crafted printer responses, while CVE-2025-58060 enables authentication bypass on systems using non-Basic authentication methods like Kerberos or LDAP.

The DoS vulnerability targets the libcups library and can disrupt entire network printing services. The authentication bypass is more severe, letting attackers gain admin access by sending Basic auth headers when other authentication types are configured.

No patches are currently available for CUPS versions below 2.4.12. Network administrators should immediately restrict IPP port 631 access, disable cups-browsed service, and temporarily revert to Basic authentication with strong passwords until fixes arrive.

Source: Cyber Security News

Cybercriminals are running a sophisticated malvertising campaign that tricks users into downloading fake GitHub Desktop clients loaded with malware. The attackers exploit GitHub's trusted reputation by creating compromised repositories with hidden malicious code that appears legitimate.

When users search for GitHub Desktop through infected ads, they're redirected to these fake repositories. Once downloaded, the malware performs extensive system reconnaissance, collecting operating system details and network configurations before connecting to command servers.

The campaign uses advanced evasion techniques, including PowerShell payloads that deploy NetSupport Remote Access Trojan and AutoIT interpreters disguised as COM files. Unit 42 researchers discovered the threat through behavioral analysis of suspicious repository activities.

Source: Cybersecurity News

Samsung released its September 2025 security update to fix a critical zero-day vulnerability that hackers are actively exploiting. The flaw, tracked as CVE-2025-21043, affects Galaxy devices running Android 13-16 and allows remote attackers to execute malicious code by tricking users into processing specially crafted images.

Meta and WhatsApp security teams discovered and privately reported the vulnerability. Samsung confirmed exploits already exist in the wild, making immediate patching crucial. The update also fixes 24 other security flaws, including high-severity issues that could let local attackers run arbitrary code.

Users should install the update immediately through Settings > Software update > Download and install.

Source: Cybersecurity News

Jaguar Land Rover's production shutdown has stretched to 12 days following a devastating cyber attack, with manufacturing now delayed until at least Wednesday. The disruption affects all 34,000 UK workers across factories in Halewood, Solihull, and Wolverhampton, who remain at home on full pay.

The ripple effects are hitting hard across the supply chain. Six thousand workers at JLR suppliers, including Evtec and WHS Plastics, have been temporarily laid off. MPs are now demanding COVID-style financial support, warning that disruption could last "most of September."

A hacking group called Scattered Lapsus$ Hunters claimed responsibility for the attack. Unite union leader Sharon Graham is calling for an emergency furlough scheme to protect jobs in the automotive sector.

Source: Sky News

Cybercriminals are ramping up Akira ransomware attacks by exploiting a year-old vulnerability in SonicWall firewalls. About 40 attacks hit between mid-July and early August, with another wave following soon after. The attacks target CVE-2024-40766, which affects SSL VPN protocols in multiple SonicWall firewall versions.

Rapid7 reports handling multiple incidents weekly, while Australia's Cyber Security Centre warns of attacks on local organizations. Most victims had patched their systems but failed to reset default passwords during firewall migrations from Gen 6 to Gen 7 devices.

Akira ransomware has already impacted over 250 organizations, collecting $42 million in ransom payments. SonicWall has appeared 14 times on CISA's exploited vulnerabilities list since 2021.

Source: CyberScoop

Cybercriminals are using AI to create sophisticated malware disguised as legitimate productivity apps, infecting hundreds of organizations across manufacturing, government, and healthcare sectors in the US, UK, Germany, India, and beyond. The "EvilAI" campaign uses fake apps like Recipe Maker and Manual Finder that actually work as advertised while secretly mapping victim networks and disabling security software.

What makes this campaign particularly dangerous is its professional appearance. The malicious apps feature polished interfaces, real functionality, and valid digital signatures from newly registered companies. The AI-generated malware code is designed to evade traditional antivirus detection.

Trend Micro researchers warn this appears to be preparation for larger future attacks, possibly by initial access brokers setting the stage for ransomware or data theft operations.

Source: Dark Reading

CISA issued 14 security advisories Tuesday highlighting serious vulnerabilities in industrial automation systems from Rockwell and ABB. The flaws affect critical manufacturing infrastructure, including Rockwell's ThinManager software, FactoryTalk platforms, and various controllers, plus ABB's ASPECT, NEXUS, and MATRIX equipment.

The most severe issues include authentication bypasses allowing attackers to take full device control, remote code execution vulnerabilities, and buffer overflows that could crash systems. One Rockwell ThinManager flaw (CVE-2025-9065) scores 8.6 on the severity scale, while ABB vulnerabilities reach 9.8.

Both companies have released patches and recommend immediate updates. CISA emphasizes these systems should never be directly exposed to the internet and must use proper network segmentation and VPN access controls.

Source: Industrial Cyber