WhatsApp Zero-Click, OAuth Abuse, npm Supply Chain, and Ransomware

Supply-Chain Attack on npm Nx Steals Developer Credentials

🔒 A sophisticated supply-chain attack targeted the widely used Nx build-system packages on the npm registry, exposing developer credentials and sensitive files. According to a report from Wiz, attackers published malicious Nx versions on August 26, 2025 that harvested GitHub and npm tokens, SSH keys, environment variables and cryptocurrency wallets. The campaign uniquely abused installed AI CLI tools (for example, Claude and Gemini) by passing dangerous permission flags to exfiltrate file-system contents and perform reconnaissance, then uploaded roughly 20,000 files to attacker-controlled public repositories. Organizations should remove affected package versions, rotate exposed credentials and inspect developer workstations and CI/CD pipelines for persistence.

WhatsApp Patches Zero-Click Zero-Day Exploit in iOS

🔒 WhatsApp has patched a critical zero-day (CVE-2025-55177) affecting linked-device synchronization that could allow processing of content from an arbitrary URL on a target device. The vendor says the flaw, when combined with an Apple OS-level out-of-bounds write (CVE-2025-43300), may have been exploited in a targeted, sophisticated zero-click attack. Apple patched the related OS issue on August 20. Users should apply the updated WhatsApp and WhatsApp Business iOS and Mac clients immediately.

Salesloft token theft exposes wide-ranging integrations

🔐 The mass theft of authentication tokens from Salesloft’s Drift chatbot has exposed integrations across hundreds of customers, according to Google. Attackers stole valid tokens for services including Slack, Google Workspace, Amazon S3, Microsoft Azure and OpenAI. GTIG said the campaign, tracked as UNC6395, siphoned large amounts of Salesforce data and searched the haul for credentials such as AWS keys, VPN logins and Snowflake access. Customers were urged to immediately invalidate and reauthenticate all Salesloft-connected tokens while Salesloft and incident responders investigate.

Weekly Recap: WhatsApp 0-Day, Docker Bug, Breaches

🚨 This weekly recap highlights multiple cross-cutting incidents, from an actively exploited WhatsApp 0‑day to a critical Docker Desktop bug and a Salesforce data-exfiltration campaign. It shows how attackers combine stolen OAuth tokens, unpatched software, and deceptive web content to escalate access. Vendors issued patches and advisories for numerous CVEs; defenders should prioritize patching, token hygiene, and targeted monitoring. Practical steps include auditing MCP integrations, enforcing zero-trust controls, and hunting for chained compromises.

Ransomware Disrupts Pennsylvania Attorney General’s Office

🔐 Pennsylvania’s Office of Attorney General (OAG) confirmed a ransomware attack in August that encrypted files and disrupted civil and criminal court proceedings, forcing several courts to grant time extensions. The OAG said no ransom has been paid and an active multi-agency investigation is underway; it has not yet indicated whether data was exfiltrated. Most staff — about 1,200 across 17 offices — have regained email, and the main phone line and website are restored while full system recovery continues.

Salesloft Drift Supply-Chain Attacks Also Hit Google

🔒 Google and security vendors say the Salesloft Drift supply-chain campaign is broader than initially reported. Threat actors tracked as UNC6395 harvested OAuth tokens from the Salesloft Drift integration with Salesforce and also accessed a very small number of Google Workspace accounts. Organizations should treat any tokens connected to Drift as potentially compromised, revoke and rotate credentials, review third-party integrations, and investigate connected systems for signs of unauthorized access.

ScarCruft Deploys RokRAT in 'HanKook Phantom' Campaign

🚨Seqrite Labs has uncovered a spear-phishing campaign named Operation HanKook Phantom attributed to North Korea–linked ScarCruft (APT37). The attacks use ZIP attachments containing malicious Windows LNK shortcuts that masquerade as PDFs and drop a RokRAT backdoor while displaying decoy documents. RokRAT can collect system information, execute commands, enumerate files, capture screenshots, and download further payloads, exfiltrating data via cloud services such as Dropbox, Google Cloud, pCloud, and Yandex Cloud. A second observed variant leverages fileless PowerShell and obfuscated batch scripts to deploy additional droppers and conceal network traffic as browser file uploads.

Zscaler Salesforce Breach Exposes Customer Support Data

⚠️ Zscaler says threat actors accessed its Salesforce instance after a compromise of Salesloft Drift, during which OAuth and refresh tokens were stolen and used to access customer records. Exposed information includes names, business email addresses, job titles, phone numbers, regional details, product licensing and commercial data, and content from certain support cases. Zscaler emphasizes the breach was limited to its Salesforce environment—not its products, services, or infrastructure—and reports no detected misuse so far. The company has revoked Drift integrations, rotated API tokens, tightened customer authentication for support, and is investigating.

Silver Fox Abuses Microsoft-Signed Drivers to Deploy RAT

⚠️ A newly discovered campaign attributed to the Silver Fox APT abuses trusted Microsoft-signed drivers to bypass security protections and install a remote access tool. Check Point Research found attackers used the WatchDog driver (amsdk.sys) and an older Zemana-based driver to terminate antivirus and EDR processes, enabling deployment of ValleyRAT. Researchers observed loaders with anti-analysis, persistence, embedded drivers and hardcoded lists of security processes, and warn that timestamp edits can preserve valid signatures while evading hash-based detection.

Amazon Disrupts APT29 Campaign Targeting Microsoft 365

🔒 Amazon disrupted an operation attributed to the Russian state-sponsored group APT29 that used watering-hole compromises to target Microsoft 365 accounts. The attackers injected obfuscated JavaScript into legitimate sites to redirect roughly 10% of visitors to fake Cloudflare verification pages and then into a malicious Microsoft device code authentication flow. Amazon isolated attacker EC2 instances and worked with Cloudflare and Microsoft to take down identified domains; the campaign did not affect Amazon's infrastructure.

Amazon Thwarts APT29 Watering Hole Targeting Microsoft

🔒 Amazon’s threat intelligence team disrupted a watering hole attack attributed to the Russian state‑linked group APT29 that attempted to abuse Microsoft device code authentication flows. Compromised websites injected JavaScript that redirected about 10% of visitors to attacker-controlled domains mimicking Cloudflare verification pages. Amazon reported no AWS service compromise; attackers used evasion techniques and quickly rotated infrastructure.

Android droppers now pushing SMS stealers and spyware

🛡️ Security researchers warn that Android dropper apps are increasingly used to deliver not only banking trojans but also SMS stealers, spyware and lightweight payloads. According to ThreatFabric, attackers in India and parts of Asia are packaging payloads behind benign "update" screens to evade targeted Play Protect Pilot Program checks, fetching and installing the real payload only after user interaction. Google says it found no such apps on Play and continues to expand protections, while Bitdefender links malvertising campaigns to Brokewell distribution.

Suspected Hacker Arrested for Tampering School Grades

🔒 Spanish police arrested a 21-year-old suspect in Seville accused of accessing the Andalusian Education Ministry's systems to alter high school and university entrance exam grades for himself and several classmates. Authorities say at least 13 university professors' work accounts across Almería, Cádiz, Córdoba, Seville and Jaén were compromised and emails accessed. Seized computer equipment and a notebook listing manipulated grades were recovered during the search, and regional security for the Séneca platform has been tightened.

Critical SQLi in Paid Memberships Subscriptions Plugin

🔒 A critical unauthenticated SQL injection vulnerability (CVE-2025-49870) was discovered in the WordPress Paid Memberships Subscriptions plugin affecting versions up to 2.15.1, used by over 10,000 sites. Patchstack Alliance researcher ChuongVN reported the flaw, which stems from unsafe handling of PayPal IPN payment IDs. The vendor released 2.15.2 to enforce numeric validation of payment IDs, adopt prepared statements and strengthen input handling; administrators should update immediately.

When Browsers Become the Attack Surface: Rethinking Security

🔒 As enterprises shift more critical work to the browser, adversary Scattered Spider (UNC3944) targets live browser data—saved credentials, calendars, and session tokens—to achieve account takeover and persistent access. The article highlights techniques like Browser-in-the-Browser overlays, JavaScript injection, malicious extensions, and token theft that evade conventional EDR. It recommends elevating browser-native controls: runtime JavaScript protection, session-token binding, extension governance, API restrictions, and integrated browser telemetry so CISOs treat browser security as a primary defense layer.

BSI Urges Users to Assess Outage Risks in Digital Products

🔒 The German Federal Office for Information Security (BSI) recommends that consumers consider potential outage risks when selecting digital products and services. Users should evaluate how manufacturers handle security incidents, what happens to personal or family data, and whether vendors have a solid security reputation or trustworthy seals. The BSI also advises checking published information about incidents, remediation measures and contact options. Given the end of free Windows 10 updates from October 14, the agency urges timely upgrades or migration to alternatives such as macOS or Linux to help preserve confidentiality, integrity and availability.

Women Cyber Leaders Growing Representation and Mentorship

👩‍💻 Female cybersecurity leaders report improving representation and influence, with 55% of women in managerial or higher roles even though women comprise just 22% of the cybersecurity workforce, according to a recent ISC2 report. Executives including Carol Lee Hobson and Cindi Carter note more women stepping into CISO and board-level positions and a stronger talent pipeline from STEM programs. However, salary gaps persist (median US pay: men $150,000; women $140,000), and many still face limited mentorship and subtle bias. Leaders emphasize mentoring, sponsorship, and networking groups as essential to sustaining progress.

Avoid Becoming a Money Mule: Risks, Tactics, Prevention

⚠️ Money mules are individuals whose bank accounts are used to move or withdraw stolen funds, often without their knowledge. Scammers recruit mules through fake job offers, in-person pleas, or off-the-books work, promising small payments for receiving or forwarding transfers. Legal consequences can be severe — fines, prosecution, and imprisonment — even if you were unaware. Protect yourself by refusing unsolicited transfers, keeping bank details private, and insisting on formal contracts for any employment.

Fortinet Marks International Women in Cybersecurity Day

👩‍💻 Fortinet marks International Women in Cybersecurity Day 2025 by highlighting programs that expand access to cybersecurity training and career pathways for women. The Fortinet Training Institute and its Education Outreach Program provide free access to Network Security Expert (NSE) training and certifications, and run instructor-led initiatives such as the Networking Fundamentals Bootcamp. Through a four-year partnership with WiCyS, Fortinet supported regional meetups and led a Hands-on SOC Workshop at the WiCyS Annual Conference (April 2–5, 2025) in Dallas. These efforts are positioned to address the global cyber skills gap ahead of the forthcoming 2025 Cyber Skills Report.

Spotlight Report: Navigating IT Careers in the AI Era

🔍 This spotlight report examines how AI is reshaping IT careers across roles—from developers and SOC analysts to helpdesk staff, I&O teams, enterprise architects, and CIOs. It identifies emerging functions and essential skills such as prompt engineering, model governance, and security-aware development. The report also offers practical steps to adapt learning paths, demonstrate capability, and align individual growth with organizational AI strategy.

12 Days Left to Nominate for CSO30 Awards 2025 — Apply

🏆 With only 12 days until the 12 September 2025 nomination deadline, the CSO30 ASEAN Awards invite senior security leaders to submit entries that demonstrate outstanding leadership, innovation, and measurable business value. Categories include Business Value, Leadership, and Public‑Private Partnership. Winners will be honoured at an in‑person ceremony in Singapore and join a global community of top CISOs and security executives.

Top Cybersecurity Certifications to Advance a CISO Career

🔐 Certifications in cybersecurity validate expertise, increase credibility and can accelerate advancement into CISO roles. This article highlights five widely recognized credentials — CISSP, CCSP, CISM, CISA and the SANS/GIAC Strategic Planning, Policy and Leadership — and summarizes their primary focus areas and prerequisite experience. Experts advise selecting certifications that align with your career path, technical domain and leadership goals. While certifications are valued internationally (including in Germany), they complement rather than replace relevant experience and other leadership qualities.