All news in category “Incidents and Data Breaches”

🛡️ Unit 42 observed AdaptixC2 in early May 2025 being used in real-world intrusions to perform command execution, file transfers and data exfiltration. The open-source framework offers modular beacons, in-memory execution and multiple persistence and tunneling options, which adversaries have adapted for evasive operations. Unit 42 published extraction tools, YARA rules and hunting guidance to help defenders detect and mitigate these threats.

🔒 The House Select Committee on China warned of an ongoing series of targeted cyber-espionage campaigns tied to the PRC that aim at organizations involved in U.S.–China trade talks. Attackers impersonated Rep. John Robert Moolenaar in phishing emails that delivered malware via attachments and links, abusing cloud services and software to conceal activity. The campaign, attributed to APT41, affected trade groups, law firms, think tanks, U.S. government agencies and at least one foreign government.

🔒 Lovesac has informed customers that an unauthorized actor accessed its systems between February 12 and March 3, 2025, copying certain files after the company detected suspicious activity at the end of February. The intrusion aligns with a March claim by RansomHub, which said it had stolen roughly 40 GB of data; the ransomware group's extortion portal later went offline in April. Lovesac says it has found no confirmed misuse of the stolen information, but is notifying affected customers, offering 24 months of complimentary credit monitoring through Experian (enrollment required and open until November 28, 2025), and urging vigilance for signs of identity theft and fraud.

⚠️ Security researchers warn a supply‑chain attack on npm briefly propagated trojanized versions of widely used packages after the developer account qix was hijacked via social engineering. The malicious updates contained crypto‑stealing payloads that could rewrite wallet recipients in browsers if bundled into frontend builds. Vendor Wiz reports the code was present in about 10% of cloud environments during a two‑hour window, and JFrog says additional accounts, including DuckDB, were impacted. Organizations are advised to blocklist affected versions, rebuild from clean caches, invalidate CDN assets, and hunt for affected bundles and anomalous signing activity.

⚠️ Researchers at ANY.RUN have uncovered Salty2FA, a new phishing-as-a-service kit engineered to harvest credentials and bypass multiple two-factor authentication methods. First observed gaining momentum in mid-2025, the kit uses multi-stage redirects, Cloudflare checks and evasive hosting to slip past automated filters. Salty2FA intercepts push, SMS and voice codes, enabling account takeover across finance, energy and telecom sectors.

🔒 Recent Unit 42 analysis details ongoing data theft campaigns targeting Salesforce environments, notably a Salesloft Drift supply chain intrusion attributed to UNC6395 that may have started with reconnaissance as early as March 2025. Threat actors claiming links to Muddled Libra and Bling Libra have promoted stolen datasets on Telegram and announced new RaaS ambitions, while some channels were removed by September 5. Unit 42 emphasizes the prominence of social engineering by operatives tied to "The Com," predicts shifts toward data theft extortion and other monetization tactics, and recommends engagement with RH-ISAC, adoption of Salesforce mitigations, and use of Unit 42 incident insights to strengthen people and process defenses.

🛡️ Attackers are exploiting exposed Docker APIs (port 2375) by launching containers that install Tor and retrieve secondary payloads from hidden services. Researchers at Trend Micro and Akamai observed the activity evolve from opportunistic cryptomining into a more capable dropper that establishes persistent SSH access, creates cron jobs to block API access, and executes a Go-based agent that scans and propagates to additional hosts. The agent also removes competitor containers and contains dormant logic for Telnet and Chrome remote debugging exploitation.

🔒 Kosovo national Liridon Masurica has pleaded guilty to operating the cybercrime marketplace BlackDB.cc, which the Justice Department says sold compromised accounts, server credentials, stolen credit cards, and PII since 2018. Masurica was arrested in Kosovo in December 2024, extradited to the United States in May 2025, and is detained following a court appearance in Tampa. He faces federal charges that include five counts of fraudulent use of unauthorized access devices and a conspiracy count, carrying up to 55 years in prison. The FBI coordinated the investigation with Kosovo law enforcement and international partners.

🛡️ The U.S. Department of Justice has indicted Ukrainian national Volodymyr Tymoshchuk for allegedly administering the LockerGoga, MegaCortex, and Nefilim ransomware operations that targeted hundreds of companies worldwide. The superseding indictment covers activity between 2019 and 2021 and alleges coordination with affiliates and profit-sharing arrangements. Tymoshchuk faces multiple computer fraud and damaging-computer charges, and the State Department is offering up to $11 million for information leading to his arrest.

🔒 ReliaQuest reports threat actors increasingly abusing the HTTP client Axios alongside Microsoft's Direct Send to create a highly efficient phishing pipeline that intercepts and replays authentication flows. Campaigns beginning in July 2025 targeted executives in finance, healthcare, and manufacturing and expanded to all users, achieving up to a 70% success rate when pairing Axios with Direct Send. Attackers also use PDF lures with malicious QR codes, Google Firebase hosting, and advanced MFA-bypass kits such as Salty2FA to simulate multiple 2FA methods and steal credentials.

⚠️ Researchers have exposed a Salty2FA phishing kit that applies enterprise-grade tactics to harvest credentials and bypass detection. The campaign uses session-based subdomain rotation, abuse of legitimate platforms for staging, and corporate-branded login replicas to increase believability. Operators integrate Cloudflare Turnstile and obfuscated, XOR-encrypted JavaScript to block automated analysis and frustrate forensic inspection. Targets include healthcare, finance, technology, energy and automotive sectors, underscoring the need for updated defenses beyond traditional indicators.

🔒 Arctic Wolf researchers uncovered a targeted campaign, GPUGate, that uses malicious GitHub Desktop installers promoted via Google Ads to distribute evasive malware. The attack leverages commit‑specific links and lookalike domains to mimic legitimate GitHub downloads and trick users, particularly IT personnel, into installing a large MSI payload. A GPU‑gated decryption routine keeps the malware dormant in virtualized or low‑power environments, while PowerShell execution with policy bypasses and scheduled‑task persistence provide elevated privileges and long‑term access.

🔐 A newly uncovered phishing campaign uses the Salty2FA phishing‑as‑a‑service kit to bypass multi‑factor authentication by intercepting verification methods, rotating unique subdomains and hiding behind Cloudflare Turnstile gates that filter automated analysis. Ontinue found the kit simulates SMS, authenticator apps, push prompts and hardware tokens while dynamically applying corporate branding to match victims' email domains. Industry experts characterize this as a more mature, evasive form of phishing and recommend phishing‑resistant authentication, runtime inspection and continuous user training.

🔒 GitGuardian disclosed a campaign called "GhostAction" that tampers with GitHub Actions workflows to harvest and exfiltrate secrets to attacker-controlled domains. Attackers modified workflow files to enumerate repository secrets, hard-code them into malicious workflows, and forward credentials such as container registry and cloud provider keys. The researchers say 3,325 secrets from 327 users across 817 repositories were stolen, and they published IoCs while urging maintainers to review workflows, rotate exposed credentials, and tighten Actions controls.

🔒 A rapid open source response contained a supply-chain compromise after maintainer Josh Junon (known as 'qix') reported his npm account was hijacked on September 8. Malicious versions of widely used packages including chalk, strip-ansi and color-convert were published embedding an crypto-clipper that swaps wallet addresses and hijacks transactions. The community and npm removed tainted releases within hours, limiting financial impact and exposure.

🔓 Security firm Aikido uncovered a coordinated supply chain attack that injected obfuscated, browser-based malware into 18 popular npm packages — including chalk, debug, and ansi-styles — collectively receiving two billion weekly downloads. The malicious updates, pushed beginning September 8, intercept and manipulate web3 and crypto interactions in the browser to silently rewrite payment destinations and approvals. The campaign originated from a phishing operation that abused a typosquatted domain (npmjs.help) to compromise maintainer accounts, and although the attacker demonstrated web3 knowledge, tracked losses were modest (~$970). Researchers warn enterprise defenses are largely blind to this API-level interceptor and call for stronger attestation and signed publication workflows.

🛡️ ThreatFabric has identified a new Android remote access trojan, RatOn, that combines NFC relay attacks with automated money-transfer (ATS) and overlay capabilities to target cryptocurrency wallets and conduct device fraud. Attackers distribute droppers via fake Play Store listings (masquerading as a TikTok 18+ app) aimed at Czech and Slovak users, then request accessibility and device-admin permissions. RatOn deploys a third-stage NFSkate module for Ghost Tap NFC relays, presents overlay or ransom-style screens, captures PINs and seed phrases, records keystrokes, and exfiltrates sensitive data to attacker servers to drain accounts.

🕵️ The House Select Committee on Strategic Competition between the US and the CCP says Chinese-affiliated actors impersonated Representative John Moolenaar in multiple recent emails to trusted counterparts, delivering malicious files and links designed to compromise systems. The Committee's technical analysis found the attackers abused cloud services and developer tools to hide activity and exfiltrate data, behaviour it calls state-sponsored tradecraft. A Wall Street Journal report linked one bogus Moolenaar email to the Chinese-associated APT41, and the Committee has shared indicators with the FBI and US Capitol Police. Moolenaar condemned the operations and said the Committee will continue investigative and defensive work to protect sensitive deliberations.

🔒 Security researchers uncovered a variant of a campaign that abuses the TOR network and exposed Docker APIs to deploy cryptojacking and reconnaissance tooling. Akamai, which identified the activity last month, says attackers create Alpine containers, mount the host filesystem, and execute a Base64 payload that downloads a shell script from a .onion domain. The downloader alters SSH for persistence and installs utilities like masscan, torsocks and zstd while a Go-based dropper and compressed binary enable scanning and propagation.

🔒 Salesloft confirmed that a threat actor gained access to its GitHub account between March and June 2025, using that access to download repositories, add a guest user and create workflows. The attacker then moved into the Drift app environment, obtained OAuth tokens and used Drift integrations to access customers’ Salesforce instances and exfiltrate secrets. Affected customers include security vendors such as Tenable, Qualys, Palo Alto Networks, Cloudflare and Zscaler. Google Mandiant performed containment, rotated credentials and validated segmentation; the incident is now in forensic review.