All news in category “Incidents and Data Breaches”

🐛 Security researchers report at least 187 npm packages compromised in an active supply-chain campaign dubbed Shai‑Hulud. The malware, first observed in the widely used @ctrl/tinycolor package, includes a self‑propagating payload that injects a bundle.js, abuses TruffleHog to harvest tokens and cloud credentials, and creates unauthorized GitHub Actions workflows to exfiltrate secrets. Affected vendors including CrowdStrike say they removed malicious packages and rotated keys; developers are urged to audit environments, rotate secrets, and pin dependencies.

🦠 On the evening of September 15 a worm-like supply-chain attack began targeting popular npm components, compromising nearly 150 packages including @ctrl/tinycolor. Malicious code was added as a cross-platform postinstall script (bundle.js) that harvests credentials using a bundled TruffleHog, validates tokens via npm and GitHub APIs, and — where possible — publishes trojanized package updates. Harvested secrets are exfiltrated by creating public GitHub repositories and by deploying GitHub Actions that forward data to an attacker-controlled webhook.

🔒 Fifteen prominent ransomware groups, including Scattered Spider, ShinyHunters and Lapsus$, posted a collective statement on BreachForums announcing they are ceasing operations and entering a period of “silence.” The announcement framed their activity as exposing systemic vulnerabilities rather than pure extortion and said some members intend to retire on accumulated funds while others will continue studying systems quietly. Analysts and threat intelligence experts cautioned this could be a temporary PR move, noting past groups have rebranded or spawned successors rather than vanishing permanently.

🔒 Luxury fashion groups Gucci, Alexander McQueen and Balenciaga have had customer data exposed in an attack linked to the ShinyHunters group. A sample of files shared with the BBC reportedly included thousands of genuine customer records and spending details, and the group claims data on 7.4 million email addresses. Kering confirmed temporary unauthorized access in June but said no financial information or government identifiers were involved. Security experts warn the data could fuel follow-on fraud, especially if sold on criminal forums.

🔍 A coordinated ad and click-fraud operation named SlopAds ran 224 Android apps that amassed roughly 38 million downloads across 228 countries, according to HUMAN's Satori Threat Intelligence and Research Team. The campaign generated up to 2.3 billion bid requests per day and primarily targeted traffic from the U.S., India, and Brazil. Google removed the offending apps from the Play Store after the investigation, which found sophisticated evasion tactics including steganography and conditional payloads.

🐛 A self-replicating worm dubbed Shai-Hulud has infected at least 187 NPM packages, stealing developer credentials and publishing them to public GitHub repositories that include the string 'Shai-Hulud'. The malware searches for NPM tokens, uses them to inject itself into the top 20 packages accessible to the token and auto-publishes new versions, and leverages tools such as TruffleHog to locate secrets. The campaign briefly affected multiple packages linked to CrowdStrike and was first observed being modified on Sept. 14.

🔒 Kering has confirmed that an unauthorised third party accessed limited customer data from several of its luxury brands, including Gucci, Balenciaga, and Alexander McQueen. The exposed information may include names, dates of birth, phone numbers, email addresses, and store purchase histories, while payment card and financial data do not appear to have been compromised. Reports link the incident to the ShinyHunters group and to earlier 2024 breaches and alleged Salesforce CRM access; chat logs indicated ransom discussions, and police later arrested suspects tied to underground leak site BreachForums. Customers have been notified and should be vigilant for phishing, SMS scams, and suspicious calls.

🔒 Jaguar Land Rover has extended a pause in production for another week as it continues a forensic investigation into a severe cyberattack disclosed on 2 September 2025. The automaker said operations will remain suspended until Wednesday 24th September 2025 while it prepares a controlled global restart. JLR confirmed some data was stolen but has not attributed the breach to a known group. A group calling itself Scattered Lapsus$ Hunters posted screenshots and claimed to have deployed ransomware.

🔍 Acronis researchers warn of a campaign using a FileFix variant to deliver the StealC information stealer via a multilingual, heavily obfuscated phishing site. The lure mimics a Facebook security notice and hijacks the clipboard to implant a multi-stage PowerShell command that victims are tricked into executing through File Explorer. Attackers store encoded payload components as images on Bitbucket, decode them locally with a Go-based loader, and ultimately unpack shellcode that launches StealC. The infrastructure uses junk code, fragmentation and other anti-analysis techniques to evade detection and complicate forensic analysis.

🛡️ A new FileFix campaign impersonates Meta support to trick users into pasting a disguised PowerShell command into the File Explorer address bar, which then downloads and executes malware. The attackers hide a second-stage script and encrypted binaries inside a seemingly benign JPG hosted on Bitbucket using steganography. The final payload is the StealC infostealer, designed to harvest browser credentials, messaging logins, crypto wallets, cloud keys and more. Security vendor Acronis observed multiple evolving variants over a two-week period and urges user education on these novel ClickFix/FileFix tactics.

🔒 Researchers at ESET have identified HybridPetya, a bootkit-style ransomware that mimics Petya/NotPetya by targeting the NTFS Master File Table (MFT). Unlike destructive predecessors, HybridPetya functions as true ransomware and can reconstruct victim decryption keys from an installation key, with an analyzed sample demanding €850 in Bitcoin. The threat bypasses UEFI Secure Boot by exploiting CVE-2024-7344 in a Microsoft-signed EFI component to load an unsigned cloak.dat, replace the Windows bootloader, crash the system to force a reboot, and run prior to OS startup to encrypt the disk with Salsa20 while displaying a fake CHKDSK message.

🔒 Jaguar Land Rover (JLR) has extended its production pause until at least 24 September after a cyber-attack earlier this month. The outage is causing cascading disruption across its supply chain, with some third-party workers reportedly laid off while JLR employees are not facing job losses. Unite has called for government-backed furloughs for affected contractors. A group using the name Scattered Lapsus$ Hunters has claimed responsibility and JLR confirmed some data were affected and regulators have been informed.

🔒 FinWise Bank notified customers that a former employee accessed customer data after their employment ended, with the incident occurring on May 31, 2024 and discovered on June 18, 2025. The breach affected 689,000 FinWise and American First Finance (AFF) customers, and the bank confirmed that customers' full names were exposed. FinWise engaged external cybersecurity experts, offered 12 months of free credit monitoring and identity-theft protection, and advised customers to place fraud alerts or security freezes and to monitor credit reports and account statements.

🚨 Security researchers say a new software supply chain campaign has compromised more than 40 npm packages by injecting a malicious bundle.js into republished releases. The trojan installs a downloader that executes TruffleHog to scan hosts for secrets and cloud credentials, targeting both Windows and Linux developer environments. Vendors warn maintainers to audit environments, rotate tokens, and remove affected versions to prevent ongoing exfiltration.

🔒 Google confirmed that a fraudulent account was created in its Law Enforcement Request System (LERS) portal and has been disabled. The company said no requests were made with the account and no data was accessed. The claim follows posts by a group calling itself "Scattered Lapsus$ Hunters", which also asserted access to the FBI's eCheck system. The actors have previously targeted Salesforce-related infrastructure and taunted security teams.

🔒 Google has confirmed that a fraudulent account was created in its Law Enforcement Request System (LERS) and has been disabled. The company says no requests were made and no data was accessed. The claim was posted by a group calling itself Scattered Lapsus$ Hunters, which also alleged access to the FBI's eCheck system; the FBI declined to comment. The group has a history of high-profile Salesforce-related thefts and has publicly taunted law enforcement and security researchers.

🐍 IBM X-Force reports that China-aligned Mustang Panda is deploying a new USB worm, SnakeDisk, to propagate the Yokai backdoor against machines geolocated to Thailand. The actor also introduced updated TONESHELL variants (TONESHELL8/9) with proxy-aware C2 and parallel reverse shells. SnakeDisk abuses DLL side-loading and USB volume masquerading—moving user files into a subfolder and presenting a deceptive 'USB.exe' lure before restoring originals—to spread selectively on Thailand-based public IPs.

🔒 FinWise Bank says a former employee accessed sensitive files after their employment ended, in a data security incident identified on May 31, 2024. The bank notified corporate partner American First Finance (AFF), which reported that data for 689,000 customers was affected. FinWise launched an external investigation, strengthened internal controls, and is offering 12 months of credit monitoring and identity theft protection to impacted individuals.

🔒 ESET Research identified HybridPetya on VirusTotal in February 2025, with filenames implying a connection to the destructive NotPetya outbreak. The strain encrypts the NTFS Master File Table using Salsa20 and deploys a UEFI bootkit on the EFI System Partition to ensure firmware‑level persistence. One variant exploits CVE-2024-7344 to bypass UEFI Secure Boot via a signed but vulnerable Microsoft component, yet retains a working decryption mechanism for victims. Analysts found no signs of self-propagation like NotPetya, but the combination of pre-boot compromise and MFT encryption raises significant concern.

🔍 Security researchers at FortiGuard Labs uncovered an SEO poisoning campaign that manipulated search results to steer Chinese-speaking Microsoft Windows users to spoofed download sites. Attackers registered lookalike domains and used subtle character substitutions to present compromised installers that bundled legitimate apps with hidden malware such as Hiddengh0st and Winos. The operation used a redirection script known as nice.js, anti-analysis checks in components like EnumW.dll, and persistence mechanisms including registry changes and TypeLib hijacking. FortiGuard warns the final payloads supported monitoring, keystroke and clipboard capture, Telegram interception, and cryptocurrency wallet theft.