All news in category "Incidents and Data Breaches"

Chinese Cyber Espionage Impersonates US Congressman via Email

🕵️ The House Select Committee on Strategic Competition between the US and the CCP says Chinese-affiliated actors impersonated Representative John Moolenaar in multiple recent emails to trusted counterparts, delivering malicious files and links designed to compromise systems. The Committee's technical analysis found the attackers abused cloud services and developer tools to hide activity and exfiltrate data, behaviour it calls state-sponsored tradecraft. A Wall Street Journal report linked one bogus Moolenaar email to the Chinese-associated APT41, and the Committee has shared indicators with the FBI and US Capitol Police. Moolenaar condemned the operations and said the Committee will continue investigative and defensive work to protect sensitive deliberations.

Tor-based Cryptojacking Campaign Shows Botnet Potential

🔒 Security researchers uncovered a variant of a campaign that abuses the TOR network and exposed Docker APIs to deploy cryptojacking and reconnaissance tooling. Akamai, which identified the activity last month, says attackers create Alpine containers, mount the host filesystem, and execute a Base64 payload that downloads a shell script from a .onion domain. The downloader alters SSH for persistence and installs utilities like masscan, torsocks and zstd while a Go-based dropper and compressed binary enable scanning and propagation.

Salesloft: GitHub Compromise Led to Drift OAuth Theft

🔒 Salesloft confirmed that a threat actor gained access to its GitHub account between March and June 2025, using that access to download repositories, add a guest user and create workflows. The attacker then moved into the Drift app environment, obtained OAuth tokens and used Drift integrations to access customers’ Salesforce instances and exfiltrate secrets. Affected customers include security vendors such as Tenable, Qualys, Palo Alto Networks, Cloudflare and Zscaler. Google Mandiant performed containment, rotated credentials and validated segmentation; the incident is now in forensic review.

Popular npm packages trojanized to mine cryptocurrency

⚠️ Several widely used npm packages were trojanized after attackers phished maintainers, injecting obfuscated JavaScript that turns affected web applications into cryptodrainers. The malicious code executes in visitors' browsers, intercepting network traffic and API requests to rewrite cryptocurrency wallet addresses for Ethereum, Bitcoin, Solana, Litecoin, Bitcoin Cash and Tron and redirect funds to attacker-controlled wallets. npm removed infected packages about three hours after the attack began, but total downloads during that window remain unknown. Developers are advised to audit dependencies, pin safe versions with overrides in package.json, and use anti-phishing protections.

Hackers Briefly Compromise Two ARTE YouTube Channels

⚠️ Unknown actors briefly gained control of two YouTube channels belonging to the German-French cultural broadcaster Arte, the broadcaster said. The intrusion affected the main channel and Arte Concert, temporarily replacing documentaries and concert programming with cryptocurrency videos and clips referencing Donald Trump and Elon Musk. Arte said the unauthorized access was blocked and a comprehensive analysis of causes and scope is under way; Medieninsider first reported the incident.

Phished Maintainer Leads to Compromise of 20 npm Packages

⚠️ A maintainer of widely used npm packages was phished, allowing attackers to publish malicious updates to 20 modules that together exceed two billion weekly downloads. Researchers from Aikido Security and Socket found the injected payload hooks browser APIs (window.fetch, XMLHttpRequest, window.ethereum.request) to intercept and rewrite cryptocurrency transactions. The malware substitutes recipient addresses by computing Levenshtein distance to closely match intended wallets, putting end users and developers who connect wallets at risk. The incident highlights the persistent supply-chain threat to package ecosystems.

Plex Urges Password Resets After Customer Data Breach

🔒 Plex reports an unauthorized third party accessed a limited subset of customer authentication data, including email addresses, usernames, and securely hashed passwords. The company says it quickly contained the incident and that no payment card information was stored on its servers. Because Plex did not disclose the hashing algorithm used, it recommends users reset their passwords, enable two‑factor authentication, and use the “Sign out connected devices after password change” option to terminate active sessions. Plex reminded customers it will never request passwords or card details by email.

45 Previously Unreported Domains Linked to Salt Typhoon

🔍 Silent Push researchers have identified 45 previously unreported domains tied to China-linked threat clusters Salt Typhoon and UNC4841, with registrations dating as far back as May 2020. The infrastructure shows overlap with UNC4841, the group associated with exploitation of a Barracuda ESG zero‑day (CVE-2023-2868). Investigators discovered three Proton Mail addresses used to register 16 domains with fabricated contact details and found many domains resolving to high‑density IP addresses. Organizations are urged to search five years of DNS logs and audit requests to the listed IPs and subdomains.

18 Popular JavaScript Packages Hijacked to Steal Crypto

🔐 Akido researchers found that at least 18 widely used JavaScript packages on NPM were briefly modified after a maintainer was phished, impacting libraries downloaded collectively more than two billion times weekly. The injected code acted as a stealthy browser interceptor, capturing and rewriting cryptocurrency wallet interactions and payment destinations to attacker-controlled accounts. The changes were rapidly removed, but experts warn the same vector could deliver far more disruptive supply-chain malware if not addressed. Security specialists urge mandatory phish-resistant 2FA and stronger commit attestation for high-impact packages.

GhostAction GitHub Supply Chain Attack Exposes 3,325 Secrets

🚨 A GitHub supply chain campaign dubbed GhostAction has exposed 3,325 secrets across multiple package ecosystems and repositories. GitGuardian says attackers abused compromised maintainer accounts to insert malicious GitHub Actions workflows that trigger on push or manual dispatch, read repository secrets, and exfiltrate them via HTTP POST to an external domain. Compromised credentials include PyPI, npm, DockerHub, Cloudflare, AWS keys and database credentials; vendors were notified and many repositories reverted the changes.

Lovesac Confirms Data Breach Following Ransomware Claim

🔒 Lovesac reported a cybersecurity incident in which unauthorized actors accessed internal systems between February 12, 2025 and March 3, 2025, with the company detecting the activity on February 28, 2025. The notice to impacted individuals states that full names and additional personal information were stolen, although specific data elements and the total number of affected people were not disclosed. Lovesac says it remediated the intrusion within three days and currently has no indication the information has been misused, but it is advising vigilance for phishing and other fraud. The RansomHub ransomware group claimed responsibility and added Lovesac to its extortion portal; affected individuals are being offered 24 months of Experian credit monitoring.

Calcio sports piracy network with 123M annual visits shut

🛑 Calcio, a major illegal sports-streaming platform that drew over 123 million visits in the past year across 134 domains, has been shut down after coordinated action by ACE and DAZN. The Moldova-based operator agreed to cease operations and transferred domains to ACE, which now redirects them to its Watch Legally site. The service had been especially popular in Italy, accounting for more than 80% of traffic.

Attackers Inject Malware into Popular npm Packages

🚨 Attackers phished and hijacked a package maintainer's account via a fake support domain, then updated index.js files in multiple npm packages to inject a browser-based interceptor. The malicious code targets web clients, monitoring Ethereum, Bitcoin, Solana, Tron, Litecoin and Bitcoin Cash transactions and replacing wallet destinations to redirect funds. Affected packages collectively account for over 2.6 billion weekly downloads, making this a substantial supply-chain compromise. Investigation and remediation are ongoing.

Salesloft March GitHub Breach Led to Salesforce Data Theft

🔒 Salesloft says attackers first breached its GitHub account in March, enabling the theft of Drift OAuth tokens later abused to access customer systems. The stolen tokens were used in widespread Salesforce data-theft operations disclosed in August, affecting multiple enterprise customers. Salesloft engaged Mandiant, rotated credentials, isolated Drift infrastructure, and restored integrations after validating containment.

GitHub Account Compromise Led to Salesloft Drift Breach

🔒 Salesloft says the breach tied to its Drift application began after a threat actor compromised its GitHub account. Google-owned Mandiant traced the actor, tracked as UNC6395, accessing the account from March through June 2025 and downloading repository content, adding a guest user and establishing workflows. Attackers then accessed Drift's AWS environment and obtained OAuth tokens used to reach customer data via integrations, prompting Salesloft to isolate Drift infrastructure and take the application offline on September 5, 2025. Salesloft recommends revoking API keys for third-party apps integrated with Drift, and Salesforce has restored most Salesloft integrations while keeping Drift disabled pending further remediation.

Wealthsimple Confirms Supply-Chain Breach Affecting 30,000

🔒 Wealthsimple has confirmed a supply-chain related data breach that exposed information for roughly 30,000 customers after software from a third-party vendor was compromised on August 30. The leaked data reportedly included contact details, government-issued IDs, Social Insurance Numbers, dates of birth, IP addresses and account numbers. Wealthsimple says passwords were not accessed, no client accounts were compromised and no funds were stolen. The firm says it contained the intrusion within hours, notified regulators and is offering affected customers two years of free credit monitoring, dark-web monitoring, identity theft protection and a dedicated support team.

MostereRAT Targets Windows with Layered Stealth Tactics

🔒 FortiGuard Labs has uncovered MostereRAT, a Remote Access Trojan targeting Microsoft Windows that uses layered evasion and persistence techniques. Written in Easy Programming Language, the malware deploys a multi-stage chain, uses mutual TLS for C2 communication, and can disable Windows Update and antivirus processes. The campaign, aimed largely at Japanese users, begins with phishing emails that lead to a malicious Word download and installs services running at SYSTEM-level, while deploying remote access tools such as AnyDesk and TightVNC.

German Cyberattack Forces Wehrle-Werk AG into Insolvency

🔒 Wehrle-Werk AG has filed for insolvency after 165 years of operation, citing a damaging cyberattack in May 2024 that severely disrupted production, communications and business processes. A provisional insolvency administrator has been appointed to secure operations, conduct talks with customers and suppliers, and arrange pre-financing of insolvency wages to ensure employee pay for the coming months. The Baden-Württemberg firm, which employs around 250 staff and specializes in environmental technology—thermal waste disposal, sewage sludge combustion for phosphorus recovery and wastewater treatment—reported that its subsidiaries in Switzerland, Spain, the UK, Russia and Malaysia are not affected.

GhostAction Campaign Steals 3,325 Secrets via GitHub Actions

🔍GitGuardian disclosed a GitHub Actions supply chain campaign named GhostAction that exfiltrated 3,325 secrets from 327 users across 817 repositories before being contained on September 5. Attackers injected malicious workflow files to harvest CI/CD tokens (including PYPI_API_TOKEN) and sent them via HTTP POST to an actor-controlled endpoint. GitGuardian coordinated with maintainers and registries to revert commits, set impacted packages to read-only, and notify vendors.

Qualys, Tenable Confirm Access in Salesloft Drift Attack

🔐 Tenable and Qualys reported limited unauthorized access to parts of their Salesforce records after attackers stole OAuth tokens from the Salesloft Drift integration. The incidents exposed support-case subject lines, initial descriptions and basic business contact details, but neither vendor's products or core services were affected. Both firms disabled the Salesloft Drift app, revoked or rotated credentials, and said they are working with Salesforce and investigators to contain the impact.